U.K. regulator dings tech retailer for breach that affected 14 million people
Britain’s data protection authority said Thursday it has fined Dixons Carphone, a massive electronics retailer, the maximum fine allowed under law for a data breach that exposed financial information from millions of customers.
Malicious software lurking inside point-of-sale systems at Dixons Carphone stores from July 2017 through April 2018 collected payment card data of 5.6 million people. Attackers accessed personal information including names, email addresses and details about failed credit checks on some 14 million people.
The U.K.’s Information Commissioner’s Office fined the company £500,000 ($653,000) for the incident, the highest penalty authorized under the U.K.’s 1988 Data Protection Act. The ICO found that Dixons Carphone, which reported £10.5 billion (equivalent to $13.7 billion in 2020) in revenue in 2018, broke the law “by having poor security arrangements and failing to take adequate steps to protect personal data.” The company is also known as DSG Retail.
Security issues included a failure to sufficiently patch software vulnerabilities, the absence of a local firewall, a lack of routine security testing and no local network segmentation, a basic component of enterprise security meant to mitigate hackers’ movements from from system to another.
The incident occurred just before the European Union’s General Data Protection Regulation began enforcement on May 25, 2018. That law threatens fines of up to 4% of a firm’s annual revenue or €20 million ($22 million), depending on the circumstances of the violation.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but this fine would inevitably have been much higher under the GDPR,” the ICO’s director of investigations, Steve Eckersley, said in a statement.
The company said in March 2019 that some 3,300 customers had reached out with concerns about the incident.
Last year, the ICO fined Carphone Warehouse, another division of the same corporation, £400,000 ($523,000 today) for similar data protection failures.