The Information Commissioner’s Office (ICO) has fined DSG Retail Limited (DSG) £500,000, the maximum financial amount possible, after its point of sale system was compromised in a cyberattack that resulted in the breach of personal data of 14 million customers, and the theft of 5.6 million payment card details.
The ICO investigation came after DSG’s stores Curry PC World and Dixons Travel were targeted by hackers between July 2017 and April 2018. Over this period the threat actors managed to installed malware onto 5,390 point of sale tills. In January 2018, the ICO fined DSG’s Carphone Warehouse £400,000 for similar vulnerabilities.
Steve Eckersley, ICO’s Director of Investigations, commented that: “Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data.
“It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
In response to the fine Dixons Carphone Chief Executive, Alex Baldock, commented: “We are very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident.
“We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result. We have upgraded our detection and response capabilities and, as the ICO acknowledges, we have made significant investment in our Information Security systems and processes.”
ICO Fines DSG Retail Limited the Maximum Amount Possible
As the breach occurred before the implementation of GDPR law, the firm DSG has been fined under the Data Protection Act 1998. Under that Act the ICO is restricted to a maximum financial penalty of £500,000. Any breach that occurs after May in 2018 are subject to GDPR rules and culprits can be fined up to £17 million or 4 percent of a firm’s global turnover. If DSG had been fined under GDPR rules, its global turnover of 4.3 billion could have resulted in a maximum fine of £172 million.
The ICO’s Director of Investigations Eckersley did note that cyberattacks are becoming more frequent, but states that organisations have ‘responsibilities’ with regards to the law and how they protect systems that contain sensitive personal data.
As a result of the DGS breach the ICO received 158 complaints from DSG customers who had been affected. Dob Todorov, CEO of HeleCloud told Computer Business review in an emailed statement : “A key concern for UK business is with whom the responsibility lies when it comes to security and compliance within the organisation. Take the General Data Protection Regulation (GDPR), for example. On paper, this regulation is the responsibility of the “data controlled” and the “data processor”.
“Yet, in real life, this regulation concerns multiple stakeholders within a single organisation. For example, compliance challenges like GDPR are typically owned by an organisation’s legal team. Yet, the IT team including the CIO also have a key role to play in data protection and cybersecurity. They are responsible for the devices, services and systems that generate, process and guard the data. The team’s responsibilities lie in the protection of information (including personal information) and the standards defined by the business.”