DSG Retail fined for failing to secure customer data

What happened?

The Information Commissioner’s Office has fined DSG Retail (owner of Dixons and Currys PC World) half a million pounds over a computer hack which compromised the personal information of at least 14 million people.

The investigation found that an attacker installed malware on 5,390 cash registers at Dixons Travel stores and DSGs Currys PC World between July 2017 and April 2018, collecting personal data.

The company’s failure to secure its systems compromised the security of 5.6 million payment cards used in transactions on the registers. The majority of the cards were protected with standard EMV chip and PIN protection, meaning the cardholder name was not obvious but nonetheless the cards’ account numbers and expiry dates were hacked. To make matters worse, the company’s internal servers were also attacked and the personal data of roughly 14 million people was estimated to have been exfiltrated.

The information included full names, postcodes, email addresses and failed credit checks from internal servers.

What would the fine would have looked like if it was under GDPR?

Under GDPR the fine would have been likely to run into several million pounds, so it is extremely fortunate for Dixons that the attack occurred before the implementation of GDPR.

Did DSG get off lightly?

Yes and no. DSG was lucky with the timing of the hack predating the implementation of GDPR. Some of the security errors were extremely basic so deserved censure and a £500,000 fine is low in the scheme of things, although the hidden costs of adverse publicity will be considerably more. But the ICO’s notice is particularly ‘hard line’ in areas (see below).

Any points companies should take away from this case?

It is a ground-breaking decision because it clarifies some critical points for big business in the UK, namely:

• The Commissioner has confirmed that she will continue with a hard-line approach and that she sees card data as personal data even if it just comprises an account number and expiry date with no name.
• The benchmark to which big business will be accountable is not ‘industry norms’ but rather they must ‘lead by example’. That is a difficult pill for executive boards to swallow because naturally businesses will benchmark costs against their rivals. Equally, the costs of overhauling legacy systems for bigger businesses are relative to their size – it will inevitably cost more and take longer to overhaul the systems of a larger group than a smaller business – but this is no excuse in the eyes of the ICO. Big businesses will have to ensure they stay at the very top of their game with their IT security.
• Data breach remediation could get more expensive. Offering credit monitoring is a standard remediation strategy but actually is very costly to run in practice when millions of records have been affected; the cost of credit checks alone could have run to millions of pounds. Often, this support option is not ‘pushed’ too heavily at affected customers for this reason, but the Information Commissioner criticised DSG for not communicating this support measure more, so businesses experiencing a data breach in the future would need to flag this more heavily.
• DSG was unlucky in that this really was a double hack of card data and customer records including name and address which no doubt worsened the impact of the attack and the fine. In some ways, it seemed DSG couldn’t win; it implemented remediation measures as quickly as possible after the hack but the speed with which it did so meant that the Commissioner felt these measures were evidently ‘readily available’ at the time of the hack and should have been done sooner! However, there were some basic security mistakes which did deserve censure.

If you have been subjected to a data hack or would like to discuss any of the issues outlined in this Keynote, please contact Sarah Needham using the contact details below.