Dixons Carphone faces £500,000 data breach penalty
.jpg)
The Information Commissioner’s Office (ICO) UK has imposed a £500,000 fine on Dixons Carphone (a.k.a. DSG Retail), the parent company behind electronics retailers Currys PC World and Dixons Travel over a data breach between July 2017 and April 2018 that affected millions of customers.
"An ICO investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine-month period before the attack was detected," read the ICO statement.
The data accessed include 5.6 million payment card details and the personal information of close to 14 million people, including full names, postcodes, email addresses and failed credit checks.
"The ICO found that DSG had failed to comply with the seventh data protection principle – the obligation to keep personal data secure," said Martin Sloan, partner at Brodies Solicitors.
"The ICO found that DSG had not taken appropriate steps to protect personal data from malicious attacks," he told SC Media UK
The probe blamed poor security arrangements: faulty software patching, lack of strong firewalls, network segregation and routine security testing, and failure to adequately protect personal data.
"DSG confirmed that at the time of the incident, its POS systems were not segregated from the wider DSG corporate network. Sufficient internal segregation could have contained the compromise to a particular section of the network," said the monetary penalty notice issued by the ICO.
"DSG’s approach to software patching of its domain controllers and the systems used to administrate them was inadequate. Evidence provided by DSG in support of its representations to the Commissioner confirmed that as at May 2017, DSG’s POS terminals were not compliant with its own patching policy and were not fully compliant until November 2017," it added
This is the second ICO penalty faced by the group. In January 2018, Carphone Warehouse, which is part of the same company group, had to pay £400,000 for similar security vulnerabilities.
"In its decision notice, the ICO says that the previous incident involving DSG's Carphone Warehouse subsidiary is an aggravating factor. In other words, the fact that the ICO had previously taken enforcement action against a DSG company for a similar incident was a reason for imposing a fine at the higher end of the scale. In this case, the fine was the maximum possible fine under the Data Protection Act 1998," said Sloan.
"Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen," ICO’s director of investigations Steve Eckersley said in the statement.
"The contraventions, in this case, were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR."
"The incident took place between July 2017 and April 2018, though the underlying failures date back longer. It, therefore, pre-dates GDPR," said Sloan.
"The ICO makes clear that had GDPR applied then a higher penalty would have been imposed. We are currently awaiting the outcome of the ICO's notice of intention to fine IAG and Marriott following major cyber attacks, which will give us an indication of the ICO's approach to fines under GDPR."
The General Data Protection Regulation mandates a fine of up to £17 million or 4 per cent of the company’s turnover.
"We are very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident," Dixons Carphone CEO Alex Baldock said in a statement.
"We are disappointed in some of the ICO's key findings which we have previously challenged and continue to dispute. We're studying their conclusions in detail and considering our grounds for appeal."
A fine at the top end of the scale was inevitable, given the circumstances and the previous incident involving Carphone Warehouse, Sloan noted.
"In this case, the ICO notes a catalogue of errors, including non-compliance with PCI-DSS, a failure to follow Microsoft guidance on patching vulnerabilities, system configuration and the use of firewalls, and a reliance on outdated software. Some of these issues were brought to DSG's attention following an assessment by an information security consultancy in May 2017, but were not acted upon," he explained.
source scmagazineuk
Industry: Cyber Security
Latest Jobs
-
- Senior Client Microsoft Security Delivery Consultant - Hybrid (London | Remote)
- London
- N/A
-
Senior Client Microsoft Security Delivery Consultant - Hybrid (London | Remote) We are seeking an experienced technical Security Consultant to help clients deploy and enhance their cyber defences across Microsoft and vulnerability management technologies. You will work with enterprise customers to deliver tailored solutions across threat detection, endpoint protection and exposure management, ensuring security platforms are efficient, integrated and aligned with operational goals. Whilst you won't do the design yourself- you will work alongside technical Presales to document, agree and then deliver the solution. You will have experience leading delivery the implementation and improvement projects, providing hands-on support with configuration, integration and optimisation. You will assess existing environments, recommend enhancements and guide clients on best practice to strengthen visibility and control. Strong experience with SIEM, XDR and vulnerability tooling (Microsoft & Tenable ecosystems ideal) Understanding of Azure security, identity and access controls Background in consulting or project-based cyber delivery Clear communication skills with the ability to engage senior stakeholders Extra points if you have the SC-100. You must be eligible to achieve UK Security Clearance to be considered for this role.
-
- Account Director | Cyber Security Consulting | UK - South East
- London
- N/A
-
Account Director | Cyber Security Consulting - Financial Services | UK - South East. New Role due to Growth We are looking for an experienced Account Director to develop and expand existing relationships across the financial services sector, working with investment firms, asset managers, private equity groups and strategic partners to deliver intelligent cyber consulting and a bespoke Cyber product offerings. You will act as a trusted advisor, helping organisations strengthen digital resilience, manage third-party and regulatory risk and adopt a proactive approach to cyber assurance. Key Responsibilities Manage a defined portfolio of financial clients, understanding business priorities and aligning tailored cyber solutions. Drive new client engagement while nurturing existing partnerships through a consultative, long-term approach. Present the benefits of advanced cyber services including threat intelligence, vulnerability management, incident readiness, and continuous risk monitoring. Collaborate with technical and delivery teams to ensure smooth engagement from proposal through to implementation and ongoing support. Prepare proposals, negotiate commercial terms, and clearly articulate value and business outcomes. Build trusted relationships at senior and board level. Ideal Profile Strong background in cybersecurity, consulting, or risk management within financial services. Skilled communicator with proven success managing and growing key accounts. Able to translate complex technical insight into commercial and strategic value for clients. Confident engaging with senior stakeholders and decision makers. Please note: Sponsorship is not available.
-
- SOC Analyst- Level 2- Hybrid Greater London
- London
- N/A
-
SOC Analyst- Level 2- Hybrid Greater London New opportunity created through continued growth. We’re looking for a SOC Analyst (Level 2) to strengthen a growing managed security team. You’ll work hands-on with Microsoft Sentinel and Defender XDR, investigating alerts, responding to incidents, and helping improve how clients stay protected. This role is ideal for someone who enjoys unravelling security events, thinking critically under pressure, and making a real difference day to day. What you’ll do · Investigate and respond to security activity across SIEM and endpoint tools · Analyse network and log data to uncover real threats · Support automation initiatives to streamline response processes · Help maintain visibility, data flow, and performance across SOC platforms What you’ll need · Practical experience using Microsoft Sentinel and Defender XDR · Confident working with KQL or similar query languages · Understanding of attacker tactics and response techniques · SC-200 certifications would be nice. · Experience supporting multiple customer environments Please note: Sponsorship is not available.
-
- Senior SOC Engineer - UK - New role due to growth
- London
- N/A
-
Senior SOC Engineer – New role due to growth We are hiring a Senior SOC Engineer to take the lead across security operations for a growing managed service. You will lead detection, response and onboarding activity across multiple clients, helping shape how the SOC evolves. Expect variety; from fine-tuning alerts and threat hunting to supporting customers and mentoring junior analysts. What you’ll bring · Strong experience across SIEM, EDR, and threat detection tools · Confident working with customers in a managed service environment · Skilled in scripting or query languages such as KQL or PowerShell · Knowledge of frameworks like NIST, ISO27001, MITRE ATT&CK · Calm communicator with a problem-solving mindset · Experience with Azure Lighthouse or delegated access models · Prior involvement in automation or SOC improvement projects Location: South East England- Hybrid role Please note: Sponsorship cannot be offered now or in the future.