Dixons Carphone has been handed a £500,000 fine by the Information Commissioner’s Office (ICO) after a cyber-attack compromised the personal information of around 14 million people. The £500,000 represents the highest possible fine under the previous regulation. If, however, the breach had taken place post GDPR, the fine could have been up to as much as £17 millions pounds.
The breach occurred when malware was installed on 5,390 tills across Currys PC World and Dixons Travel stores. This gave the cyber criminals access to the details of 5.6 million payment cards over a period between July 2017 and April 2018. It was not just payment card details that were exposed, but also the personal details of approximately 14 million customers including names, addresses, emails and credit check data.
Steve Eckersley, the ICO’s Director of Investigations said: “The contraventions in this case were so serious that we imposed the maximum penalty under the previous regulations, but the fine would inevitably have been much higher under GDPR.
“Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud.”
Whilst the introduction of GDPR has certainly increased the awareness of both consumers and businesses of the value of data and the importance of securing it, many firms are still struggling to adhere to the regulations, or remain on top of a constantly moving and increasingly sophisticated threat from cyber criminals.
“The Dixons Carphone case highlights the ease at which cyber criminals can quickly get hold of hugely sensitive and valuable data. 2019 saw a huge increase in awareness from the public about the value and vulnerability of their data. This means that any breach now is more in the spotlight of the media and regulators than ever before,” said AJ Thompson CCO at Northdoor.
“With this in mind, companies, even if they consider themselves to be adhering to regulations need to be on the constant look out for new threats that very likely go beyond what existing regulations protect. They should also be aware of their supply chain, and how secure their partners are. You are essentially only as secure as those who have access to your systems, without ensuring you have a secure supply chain you will always be at risk.
“2020 is likely to see an increase in the scrutiny on any data breach. With the increase of awareness from public and media alike, a data breach now cannot just cause a serious financial loss, but a serious impact on a company’s reputation.
“We are urging clients to be proactive in their approach to cyber security. Whilst the threat will never go away, ensuring that you are not sitting on your hands whilst cyber criminals are constantly working out new, innovative ways to get access to data, is a real step in protecting your customer’s data and your reputation,” concluded Thompson.