Serviceteam IT Security News

Dixons Carphone has been hit with the maximum possible fine after the tills in its shops were compromised by a cyber-attack that affected at least 14 million people.

The retailer discovered the massive data breach last summer and a subsequent investigation by the Information Commissioner’s Office (ICO) found the attacker had installed malicious software on 5,390 tills in branches of its Currys PC World and Dixons Travel chains.

The rogue software went undetected over a nine month period between July 2017 and April 2018 and collected a huge amount of data, leaving customers vulnerable to both financial theft and identity fraud.

Steve Eckersley, the ICO’s director of investigations, said the ICO had found “systemic failures” in the way Dixons Carphone looked after its customer data. “Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” he said.

The attacker harvested the payment card details of 5.6 million people as well as the personal information – including full names, postcodes, email addresses and details of failed credit checks – of approximately 14 million, the data watchdog said in a statement announcing the £500,000 fine.

The ICO said Dixon Carphone’s poor security arrangements and the inadequate steps taken to protect data had breached the Data Protection Act 1998. Last year the ICO fined Carphone Warehouse, part of the same group, £400,000 for similar security vulnerabilities.

The fine is the maximum penalty under the former legislation protecting consumers’ data. The powers of the ICO were bolstered last year when that law was replaced by the General Data Protection Regulation (GDPR). It can now fine a company up to 4% of their annual global turnover, and in the summer, British Airways was fined £183m, while the Marriott hotel group received a near-£100m censure.

Eckersley said: “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

Alex Baldock, the group chief executive of Dixons Carphone, said the company disputed some of the ICO’s findings and was considering its grounds for appeal. The company had, he said, made significant investment in its information security systems and processes. There was “no confirmed evidence of any customers suffering fraud or financial loss as a result”, he added.

“We are very sorry for any inconvenience this historic incident caused to our customers,” said Baldock. “When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers.”

Source: The Guardian

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!