An investigation led by the ICO found that an attacker installed malware on 5,390 tills at Currys, PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine-month period before the attack was detected.
This hacking campaign was active between July 2017 and April 2018 and resulted in malware being installed on 5,390 Point-of-Sale (POS) systems at Currys PC World and Dixons Travel Stores, owned by DSG Retail Ltd. The ICO received 158 complaints between June 2018 and November 2018 from DSG’s customers. As of March 2019, the company reported that nearly 3,300 customers had contacted them directly in relation to this data breach.
To make matters worse, the company’s internal servers were also attacked and the personal data of roughly 14 million people was estimated to have been exfiltrated. The information included full names, postcodes, email addresses and failed credit checks from internal servers.
The ICO has issued DSG Retail Limited, with a sizeable fine of £500,000 under pre-GDPR legislation. The decision sets out the ICO’s expectations as to the “appropriate technical and organisational” measures companies must take to protect personal data. As such, the decision is very relevant to how the equivalent standard will be applied under the GDPR.
The ICO set out the minimum cyber security measures large nationwide retailers (and organisations of similar size and profile) should look to consider. The decision sets out that organisation such as Currys/PC World should have had the minimum technical and organisational measures in place:
- network segregation;
- local firewalls;
- software patching and updates;
- penetration testing and vulnerability scanning;
- logging and monitoring systems;
- point-to-point encryption;
- privileged account management; and
- adherence to industry standard hardening guidance.
These measures likely constitute the minimum appropriate technical and organisational measures that organisations of a similar size and profile should have in place. Organisations that depart from those measures will need to have good reasons why those measures are not appropriate to them.
The ICO’s decision notes that the general public would expect DSG, to ‘lead by example’ on cyber security. This appears that the ICO will hold to a higher standard to those organisations in which the general public places trust. The ICO’s comments also suggest a greater level of scrutiny will be applied to organisations that handle large quantities of payment card data.
Under GDPR the fine would have been likely to run into several million pounds, so it is extremely fortunate for DSG that the attack occurred before the implementation of GDPR. DSG was lucky with the timing of the hack predating the implementation of GDPR. Some of the security errors were extremely basic so deserved censure and a £500,000 fine is low in the scheme of things, although the hidden costs of adverse publicity will be considerably more.
There is now a growing body of regulatory guidance from data protection regulators across Europe on these issues and this will continue over the next year or so as they work through a backlog of post-GDPR breaches. Companies that don’t heed that guidance will not just face potential fines but also follow-on litigation.
DSG are of course not happy with the decision from the ICO and are considering appealing the ICO’s decision. We will of course keep you updated with the any progression of these matters and decisions of the ICO’s fines against BA and the Marriott data breaches.
However in the meantime if you need any advice, Briffa advises on all aspects of GDPR and Intellectual Property and offers free consultations to all new clients. If you would like to book a call or a meeting with one of our specialist IP lawyers, please contact [email protected] or 020 7288 6003.
Hasnath Ahmed, Solicitor