Dixons Carphone faces £500,000 data breach penalty
.jpg)
The Information Commissioner’s Office (ICO) UK has imposed a £500,000 fine on Dixons Carphone (a.k.a. DSG Retail), the parent company behind electronics retailers Currys PC World and Dixons Travel over a data breach between July 2017 and April 2018 that affected millions of customers.
"An ICO investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine-month period before the attack was detected," read the ICO statement.
The data accessed include 5.6 million payment card details and the personal information of close to 14 million people, including full names, postcodes, email addresses and failed credit checks.
"The ICO found that DSG had failed to comply with the seventh data protection principle – the obligation to keep personal data secure," said Martin Sloan, partner at Brodies Solicitors.
"The ICO found that DSG had not taken appropriate steps to protect personal data from malicious attacks," he told SC Media UK
The probe blamed poor security arrangements: faulty software patching, lack of strong firewalls, network segregation and routine security testing, and failure to adequately protect personal data.
"DSG confirmed that at the time of the incident, its POS systems were not segregated from the wider DSG corporate network. Sufficient internal segregation could have contained the compromise to a particular section of the network," said the monetary penalty notice issued by the ICO.
"DSG’s approach to software patching of its domain controllers and the systems used to administrate them was inadequate. Evidence provided by DSG in support of its representations to the Commissioner confirmed that as at May 2017, DSG’s POS terminals were not compliant with its own patching policy and were not fully compliant until November 2017," it added
This is the second ICO penalty faced by the group. In January 2018, Carphone Warehouse, which is part of the same company group, had to pay £400,000 for similar security vulnerabilities.
"In its decision notice, the ICO says that the previous incident involving DSG's Carphone Warehouse subsidiary is an aggravating factor. In other words, the fact that the ICO had previously taken enforcement action against a DSG company for a similar incident was a reason for imposing a fine at the higher end of the scale. In this case, the fine was the maximum possible fine under the Data Protection Act 1998," said Sloan.
"Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen," ICO’s director of investigations Steve Eckersley said in the statement.
"The contraventions, in this case, were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR."
"The incident took place between July 2017 and April 2018, though the underlying failures date back longer. It, therefore, pre-dates GDPR," said Sloan.
"The ICO makes clear that had GDPR applied then a higher penalty would have been imposed. We are currently awaiting the outcome of the ICO's notice of intention to fine IAG and Marriott following major cyber attacks, which will give us an indication of the ICO's approach to fines under GDPR."
The General Data Protection Regulation mandates a fine of up to £17 million or 4 per cent of the company’s turnover.
"We are very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident," Dixons Carphone CEO Alex Baldock said in a statement.
"We are disappointed in some of the ICO's key findings which we have previously challenged and continue to dispute. We're studying their conclusions in detail and considering our grounds for appeal."
A fine at the top end of the scale was inevitable, given the circumstances and the previous incident involving Carphone Warehouse, Sloan noted.
"In this case, the ICO notes a catalogue of errors, including non-compliance with PCI-DSS, a failure to follow Microsoft guidance on patching vulnerabilities, system configuration and the use of firewalls, and a reliance on outdated software. Some of these issues were brought to DSG's attention following an assessment by an information security consultancy in May 2017, but were not acted upon," he explained.
source scmagazineuk
Industry: Cyber Security
Latest Jobs
-
- Public Sector Cyber Security Sales | UK
- England
- N/A
-
Public Sector Cyber Security Sales | UK UK | Remote / Hybrid A cyber security provider is seeking a Public Sector Sales professional to drive growth across UK government and public sector organisations. Must have current Cyber Security sales experience. Responsibilities Generate new business selling cyber security solutions into UK public sector Build relationships with CIO, CISO and senior technology stakeholders Manage the full sales cycle from opportunity to contract close Develop pipeline across central government, local government and public sector bodies Support bids, tenders and framework opportunities Experience Proven cyber security sales experience in the UK Track record selling into public sector organisations Familiarity with CCS, G Cloud or other government frameworks Strong stakeholder engagement and deal management skills Location UK based Security Requirements Eligible to obtain UK Security Clearance
-
- Security Architect | MoD - Security Cleared. OUTSIDE IR35 | Hampshire
- N/A
- Outside IR35
-
Security Architect | MOD | Security Cleared | Outside IR35 | Hampshire Commutable The successful candidate must be willing to undergo DV Clearance, ideally already holding active clearance. You will produce high and low level security architecture documentation, guiding and validating designs for systems deployed within sensitive environments. The role requires providing specialist security input into solution design, service transition and change initiatives, working closely with engineering, operations, client and third party stakeholders. You must have current hands on architectural experience, including VMware secure platform design and virtualisation architecture, alongside AWS expertise. This is an outside IR35 contract- 6 month rolling. Part of a longer term MoD project
-
- Active Directory | RBA engineer | UK Remote | SC Clearable
- United Kingdom
- N/A
-
Technical Active Directory (AD) and RBA specialist needed to play a key part in complex, enterprise scale Active Directory and access transformation programmes. You will work alongside senior team, helping reshape access models, modernise legacy directory structures and strengthen security posture across secure environments. This is hands on delivery within high impact projects where your work directly improves access control, compliance and operational resilience. Active UK Security Clearance required. This is a remote role with client travel. Implementation of Role Based Access Control across large AD estates Restructuring complex permission models, security groups and delegated access Supporting domain controller upgrades and core directory improvements Applying security hardening standards and remediating audit findings Enhancing authentication, policy and access governance frameworks Troubleshooting and resolving technical AD challenges within live environments Producing robust technical documentation and identifying project risks You must have the following technical experience Enterprise Active Directory administration Role Based Access and permission remediation OU design and governance Group Policy management Security group delegation models DNS and DHCP services Kerberos authentication / NTLM PowerShell scripting and automation Azure AD | Entra ID Hybrid identity environments Identity Governance PAM
-
- Identity and Access Management Consultant (Saviynt & Microsoft Entra) | UK
- United Kingdom
- N/A
-
Role summary Technical IAM consultant delivering identity governance and cloud identity solutions to enterprise clients. What you will do Implement / Configure / Deploy Saviynt IGA / Microsoft Entra solutions: Lead technical workshops, gather requirements and translate into solution designs. Troubleshoot complex issues, support testing and deployments. Produce technical artefacts and configuration guides. Key skills Hands-on Saviynt IGA experience (workflow, connectors, access governance). Strong practical knowledge of Microsoft Entra ID / Azure AD identity and access controls. Understanding of identity protocols (SAML, OAuth, OpenID Connect) and hybrid identity. Experience with APIs / REST for integrations and automation. What we are looking for Proven delivery experience in IAM / IGA projects, preferably in consulting. Confident communicator with client-facing delivery exposure.