Dixons Carphone Hit With £500,000 Fine For Data Breach

Dixons Carphone is the latest to face a fine for failing to protect customers’ data security. The UK ICO has slapped Dixons Carphone with a fine of £500,000 for a 2018 malware attack and data breach.

Dixons Data Breach Overview

In June 2018, the UK retailer disclosed a data breach involving payment cards of the customers. They revealed that compromised payment processing systems of Currys PC World and Dixons Travel stores were exposed to attackers. At that time, they suspected around 1.2 million customers’ non-financial data was identified during the breach.

However, after over a month, Dixons Carphone shared an update of the breach. It then surfaced online that the actual number of customers affected in the incident rose to 10 million. Furthermore, they emphasized that the financial details of the customers remained unaffected.

ICO Imposed Fine On Dixons Carphone

After continued investigations and a subsequent lawsuit, the firm has faced a hefty fine from the UK Information Commissioner’s Office (ICO) over the breach.

As stated in their post, continued ICO investigations revealed that the breach affected at least 14 million people. While, the incident happened due to a malware attack at 5,390 POS terminals of the retailer, which continued pilfering customers’ data for over nine months.

An ICO investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine-month period before the attack was detected.

Consequently, attackers could pilfer personal data of 14 million customers, as well as payment card details of 5.6 million.

For violating Data Protection Act 1998 and poor security arrangements, the ICO imposed a fine of ‘half a million pounds’.

It is the maximum penalty under the Data Protection Act 1998, and a marginal escape for the firm. Otherwise, Dixons Carphone may have faced an even heftier fine under the new Data Protection Act 2018 and EU’s GDPR.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients