On 9 January 2020, the UK's Information Commissioner's Office ("ICO") announced that it had fined DSG Retail Limited ("DSG") a UK-based IT retailer trading under brands including Curry's PC World and Dixons Travel, £500,000 in connection with a cyber-attack which affected at least 14 million people.
The ICO's investigation revealed that an attacker had installed malware on 5,390 point of sale terminals (notably the devices from which in-store payments are taken from the customer) across DSG's Currys PC World and Dixons Travel stores. The malware gathered customer personal data, including full names, postcodes, email addresses and failed credit checks from internal servers, for nine months between July 2017 and April 2018 before it was discovered. It was also discovered that 5.6 million payment card details used in transactions were also accessed during this time.
The ICO noted that there were "systemic failures" in DSG's processes with regards to safeguarding personal data and that these failures related to "basic, commonplace security measures showing a complete disregard for the customers whose personal information was stolen". Specifically, the ICO outlined that DSG had inadequate software patching, no local firewall, plus a lack of network segregation and routine security testing. In failing to take adequate steps to protect customer personal data, the ICO determined that DSG has breached the previous Data Protection Act 1998 ("DPA").
As the timing of the cyber-attack predated the General Data Protection Regulation ("GDPR") coming into force on 25 May 2018, the fine was issued under the DPA. The ICO subsequently imposed the maximum fine under the DPA of £500,000. The ICO concluded that, due to the types of personal data concerned, the privacy of those involved would be significantly affected and those individuals would be exposed to the risk of financial theft and identity fraud.
DSG has 28 days from the date of the monetary penalty notice (7 January 2020) to appeal the fine.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2019. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.