UK consumer electronics retail group Dixons Carphone has been fined £500,000 after hackers compromised its point-of-sale system and gained access to the details of 5.6 million payment cards.
The Information Commissioner's Office (ICO) levelled the fine, judging that Dixons Warehouse had failed to properly secure the system before the attack.
Hackers managed to install malware on 5390 POS devices at Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine month period before the attack was detected.
The breach gave unauthorised access to 5.6 million payment card details used in transactions, and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.
The ICO says Dixon Warehouse breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.
Steve Eckersley, director of investigations, ICO, says: "It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”