The Information Commissioner’s Office (ICO) in the U.K. recently fined DSG Retail Limited (DSG), a U.K.-based electrical and telecommunications retailer, £500,000 (around US$ 653,841) after its POS system was compromised, affecting nearly 14 million customers.
According to ICO’s investigation, attackers installed a malware on 5,390 POS systems at DSG’s Currys PC World and Dixons Carphone stores between July 2017 and April 2018. The investigation revealed that hackers illegally accessed 5.6 million payment card details and personal information of approximately 14 million people, compromising their full names, postcodes, email addresses, and failed credit checks from internal servers. “DSG breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing,” ICO said in a statement.
The proposed fine was imposed based on previous legislation as the incident occurred before GDPR came into effect (May 2018). ICO stated that the fine would have been higher if the cyberattack had happened under GDPR.
Steve Eckersley, ICO’s Director of Investigations, said, “The contraventions, in this case, were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
Eckersley also highlighted, “Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud.”