/regulation & compliance

News and resources on regulation, compliance, legal and governance issues for banks and fintechs.
Dixons Carphone fined £500k over massive data breach

Dixons Carphone fined £500k over massive data breach

UK consumer electronics retail group Dixons Carphone has been fined £500,000 after hackers compromised its point-of-sale system and gained access to the details of 5.6 million payment cards.

The Information Commissioner's Office (ICO) levelled the fine, judging that Dixons Warehouse had failed to properly secure the system before the attack.

Hackers managed to install malware on 5390 POS devices at Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine month period before the attack was detected.

The breach gave unauthorised access to 5.6 million payment card details used in transactions, and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.

The ICO says Dixon Warehouse breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.

Steve Eckersley, director of investigations, ICO, says: "It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

Comments: (1)

A Finextra member
A Finextra member 10 January, 2020, 12:40Be the first to give this comment the thumbs up 0 likes

With a fine of just £500k, they were very lucky. Hopefully the lessons of poor security and failure to protect personal data have now been learned. If not and they have another significant breach, with their tight profit margin, it may spell the end of their presence in the High street.