The Information Commissioner’s Office (ICO) has fined Dixons Carphone £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
An investigation led by the ICO found that an attacker installed malware on 5,390 tills at Currys, PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine-month period before the attack was detected.
It found the hackers were able to access the names, postcodes, email addresses and failed credit checks of millions.
The company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people.
The ICO said the firm failed to keep its software up to date or install a local firewall.
“Our investigation found systemic failures in the way DSG Retail Limited (a Dixons Carphone subsidiary) safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen,” said Steve Eckersley, the ICO’s director of investigations.
The company narrowly escaped a much bigger fine under new GDPR rules which only came into effect after the breach started. Sanctions can now be up to €20m (£17m) for a significant breach.
“Such careless loss of data is likely to have caused distress to many people, since the data breach left them exposed to increased risk of fraud,” Eckersley added.
Dixons Carphone chief executive Alex Baldock said: “We are very sorry for any inconvenience this historic incident caused to our customers… We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”
It is not the first time a company in the group had been fined over cyber-security failures. In January 2018, Carphone Warehouse was charged £400,000 by the ICO.
The ICO said that while cyber-attacks are becoming more frequent it is up to companies to take their security seriously and protect people’s data.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.