Dixons Carphone were handed the largest possible fine for a widespread data protection breach pertaining to sensitive financial, personal information of its UK-wide customer base. However, as the breach occurred under historic regulations the company is lucky to escape without an even larger penalty.
In a case that pre-dates the current General Data Protection Regulation extensive compromise of a computer system used by Dixons, meant that over 5,000 retail stores were affected between July 2017 and April 2018. The information compromised in this case was the personal bank account details, targeted by hackers who had installed malware on 5,390 card terminals. This sophisticated attack meant that over five-and-a-half million individual card details were harvested.
The Information Commissioner’s Office (the ICO) is the independent body responsible for upholding data and information rights. In the course of the ICO’s investigation, various facets of Dixons cyber-security and IT systems were found to be inadequate, insufficient, vulnerable, mismanaged and outdated. Furthermore, Dixons were held responsible for failing to implement certain systems which were based on industry standards and guidance. Implementation of these systems would have reduced the likelihood of the personal data being compromised.
The full extent of the failings found by the ICO are too lengthy for the purposes of this report but suffice to say liability, fell squarely on the shoulders of Dixons. The state of their technology and antiquated measures for ensuring security of personal data exposed serious risks from a data protection perspective.
The ICO concluded that Dixons had plainly and repeatedly contravened Data Protection Principle 7 - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data [Schedule 1 to the DPA(1998)]
Turning to the level of monetary penalty imposed, the fundamental, multi-faceted characteristics of this contravention were grave and serious. The point the ICO hammered home was that the cyber-attack was not an isolated incident in context of vigorous and secure measures and systems. Rather, Dixons’ data security systems was marred by wide-ranging inadequacies. Furthermore, the sheer amount of data which was compromised as a result was significant.
Accordingly, the ICO issued a significant penalty of £500,000 (the highest prescribed by the prevailing regulations) on Dixons. In doing so, the ICO explained their decision by reference to (i) the 9 month duration of the breach prior to detection (ii) the risk of financial fraud given the nature of the personal data that had been harvested (iii) the national reputation and size of Dixons Carphone Plc as a data handler. The general public would ordinarily think that a nationwide retailer “should know better” when it comes to security and data protection.
It is noteworthy that had the breach occurred within the scope of the current GDPR then the fine could and probably would have been much larger due relatively recent strengthening of penalty provisions.
The fine imposed by the ICO illustrates the seriousness of this case and marks a clear reminder to all data handlers of the potential ramifications of attacks on their security systems and the need to remain vigilant. The identity of the targets of attacks such as this can be anyone, from SME’s to nationwide retailers. The persons directly affected are, of course, normal citizens who are understandably distressed upon discovering that their data has been misappropriated and, even if they are not victims of fraud as a result, are inconvenienced by having to take steps to restore the security of their personal banking and credit arrangements.
We can of course assist and advice anyone concerned about their obligations to secure personal data that they may be controlling or processing or assist with complying with notification duties where a security attack has taken place. Via our litigation team we are also able to assist anyone looking for a remedy and peace of mind if their personal data has been compromised.
