NEWS10 January 2020

ICO fines Dixons Carphone £500,000

GDPR Legal News Privacy Retail UK

UK – The Information Commissioner’s Office (ICO) has fined DSG Retail, a subsidiary of Dixons Carphone, £500,000 after a cyber attack on a till system affected around 14 million customers.


An investigation conducted by the regulator found that an attacker installed point-of-sale malware (malicious software) on 5,390 tills at DSG’s Currys PC World and Dixons Travel Stores between July 2017 and April 2018.

The hack was not detected for nine months, allowing the software unauthorised access to information including payment card details used in transactions, personal data including names, postcodes and email addresses, the ICO said, leaving customers vulnerable to financial and identity fraud.

The fine has been issued under the Data Protection Act (DPA) 1998 as the incident occurred before the implementation of the General Data Protection Regulation (GDPR) in 2018.

DSG breached the DPA by having poor security arrangements, such as inadequate software patching, absence of a local firewall, lack of network segregation and routine security tests, the watchdog found.

The monetary penalty, half a million pounds, is the maximum that can be issued under the previous data protection legislation – under the terms of GDPR, the potential fine could have been much higher.

Steve Eckersley, ICO’s director of investigations, said the watchdog found “systemic failures” in DSG’s approach to safeguarding data. He said: “It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.”

Dixons Carphone chief executive, Alex Baldock, said: “We are very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”

The company said it had upgraded its “detection and response capabilities” and invested in its information security systems and processes, but also disputes some of the ICO’s findings, and said it is considering its grounds for appeal.