The parent company of Currys PC World has been fined £500,000 after its point of sale system was breached by hackers, thought to have affected around 14 million customers.
Between July 2017 and April 2018, hackers were able to install malware onto 5,390 computer systems and tills located at Currys PC World and Dixon Travel outlets, both owned by DSG Retail Limited, according to an investigation by the Information Commissioner's Office.
It's believed 5.6 million payment card records used in transactions were accessed as a result, as well as the personal information of 14 million people, including full names, postcodes, email addresses and information related to failed credit checks.
Given that the incident occured prior to the introduction of the General Data Protection Regulation in May 2018, the case fell under the Data Protection Act 1998, which stipulated a maximum fine of £500,000. Under new laws, the retailer would have been subject to potential fines of up to 4% of annual turnover, or £17 million.
The ICO said that DSG Retail, which also owns the Carphone Warehouse brand, was in breach of the 1998 act as it had failed to maintain adequate security measures to protect its data. This included poor patch management, a lack of a local firewall, lack of network segregation and a lack of routine penetration testing.
Carphone Warehouse itself was also fined in January 2018 for similar vulnerabilities, to the tune of £400,000.
"Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data," said Steve Eckersley, director of investigations for the ICO. "It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.
"The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR."
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisation
The authority added that the theft of such personal data would likely significantly affect individuals' privacy, and therefore met the criteria for the toughest possible sanction under law. It added that customers would likely be vulnerable to financial theft and fraud as a result.
As of March 2019, 3,300 customers had issued complaints to DSG Retail in relation to the breach.
