|Date of enforcement action:|
|United Kingdom||GBP 500,000|
|Defendant company or entity:||Industry segment:|
|DSG Retail Limited||Retail /|
The Information Commissioner’s Office (ICO) has fined DSG Retail Limited (DSG) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
An ICO investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine month period before the attack was detected.
The company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.
DSG breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.
In January 2018, the ICO fined Carphone Warehouse, which is part of the same company group, £400,000 for similar security vulnerabilities.
|Enforcement authority:||Type of enforcement action:|
|Information Commissioner's Office||Penalty notice|
|Subject to appeal?|
Cite this fine in your work
Data Privacy Fines Index. (2014-01-28 09:55) DSG Retail Limited fined GBP 500k. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/dsg-retail-limited-fined-gbp-500k/
Entry last updated: 2020-01-12 11:05 GMT.