/regulation & compliance

News and resources on regulation, compliance, legal and governance issues for banks and fintechs.

Dixons Carphone fined £500k over massive data breach

UK consumer electronics retail group Dixons Carphone has been fined £500,000 after hackers compromised its point-of-sale system and gained access to the details of 5.6 million payment cards.

  1 1 comment

Dixons Carphone fined £500k over massive data breach

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

The Information Commissioner's Office (ICO) levelled the fine, judging that Dixons Warehouse had failed to properly secure the system before the attack.

Hackers managed to install malware on 5390 POS devices at Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine month period before the attack was detected.

The breach gave unauthorised access to 5.6 million payment card details used in transactions, and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.

The ICO says Dixon Warehouse breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.

Steve Eckersley, director of investigations, ICO, says: "It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

Sponsored [Impact Study] 2024 Fraud Trends in Banking, Insurance, and Beyond

Related Company

Keywords

Comments: (1)

A Finextra member 

With a fine of just £500k, they were very lucky. Hopefully the lessons of poor security and failure to protect personal data have now been learned. If not and they have another significant breach, with their tight profit margin, it may spell the end of their presence in the High street. 

[Webinar] Reaping the benefits of Hyper-Personalisation with AI and Application ModernisationFinextra Promoted[Webinar] Reaping the benefits of Hyper-Personalisation with AI and Application Modernisation