Dixons Carphone put the personal data of millions of customers at risk – here’s what happened

Dixons Carphone put the personal data of millions of customers at risk – here’s what happened
The data breach compromised the personal information of around 14 million people (Photo: Shutterstock)

Dixons Carphone has been issued a fine of £500,000 after its point of sale system was breached by hackers, putting millions of customers at risk.

The parent company of PC World has been ordered to pay the fine by the Information Commissioner’s Office (ICO) after it was found the cyber-attack compromised the personal information of around 14 million people.

Unauthorised access

The probe by the ICO found that malicious malware was installed in 5,390 tills at the company’s Currys PC World and Dixons Travel stores.

The breach allowed hackers unauthorised access to the details of 5.6 million payment cards used over a nine-month period between July 2017 and April 2018, when the cyber-attack was finally detected.

Hackers were able to access personal information of approximately 14 million customers, including names, postcodes, email addresses and information relating to failed credit checks.

The company could have been faced with a bigger fine under new General Data Protection Regulation (GDPR) rules, with fines now allowed to be up to £17 million for a significant breach, although the rules only came into effect after the breach started.

The ICO found that malicious malware was installed in 5,390 tills at the company's stores
The ICO found that malicious malware was installed in 5,390 tills at the company’s stores

Failure to protect customers

The company was criticised by the ICO for its careless security arrangements and failure to protect the data of its customers, which saw it fall foul of data protection laws.

Among the issues were failures to update software to get rid of dangerous bugs, and failures to carry out proper security testing. The company was also issued a fine of £400,000 by the ICO in January 2018 over a separate cyber-attack in 2016.

This incident also occurred prior to the new GDPR rules coming into force in May 2018, meaning the case fell under the Data Protection Act 1998. Under this law, the maximum fine it could be issued was £500,000.

In a statement, Dixons Carphone chief executive Alex Baldock said, “We are very sorry for any inconvenience this historic incident caused to our customers.

“When we found the unauthorised access to the data, we promptly launched an investigation, added extra security measures and contained the incident.

“We duly notified regulators and the police and communicated with all our customers.

“We have no confirmed evidence of any customers suffering fraud or financial loss as a result.

“We have upgraded our detection and response capabilities and, as the ICO acknowledges, we have made significant investment and security systems and processes.”

This article originally appeared on our sister site, Edinburgh Evening News