The Information Commissioner’s Office (ICO) has issued their Dixons Carphone data breach fine, and the amount is the maximum penalty available under the old rules.
This was a sustained cyberattack that lasted between July 2017 and April 2018, meaning that it has been dealt with in accordance with the Data Protection Act 1998. The GDPR that could have allowed fines to be up to 4% of a company’s global annual turnover came into effect in May 2018; just weeks after the breach period ended. Had the breach period have lasted longer, a far greater penalty could have been issued. We have seen this with the provisional £183m issued for the British Airways data breach.
We are representing people who are claiming compensation from Dixons Carphone (DSG Retail Ltd) as one of the dozens of data breach group and multi-party actions that our lawyers are fighting for justice in.
Impact of the Dixons Carphone data breach fine
The impact of the Dixons Carphone data breach fine has been substantial. This is the maximum penalty that the regulator has been able to issue in the case, which reflects their view on how serious the breach was.
Some 14 million people had their personal data exposed. Included in this was the exposure of the details for around 5.6 million payment cards, which can put victims at an immediate risk of serious crimes like fraud and identity theft. Ultimately, this was a sustained attack that has affected a huge number of people, and it may well have been avoidable.
Speaking about the fine and the investigation, the ICO’s Director of Investigations, Steve Eckersley, has said:
“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.
The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
Is the fine justified?
The Dixons Carphone data breach fine has been levied at the highest amount that it can be. This can only mean that the ICO see this as a very serious data breach, and on the face of what they have published, the amount of the fine appears to be justified.
They have cited inadequate security arrangements with vulnerabilities caused by a failure to patch software; inadequate network segregation; and no local firewalls in use. It is also understood that they had not been properly testing their security.
These are all simple things that can allow for data to be properly protected. When they are not in place, you are leaving an open goal opportunity for hackers to exploit, and criminals will go for the easier targets. They managed to get away with stealing data for around nine months, which goes to show just how bad their security practises where.
Appeal
It is understood that the Dixons Carphone data breach fine could be appealed, with the Chief Executive for the company reportedly saying that he is “disappointed” with some of the ICO’s findings.
This could lead to a reduction in the level of the fine. However, given the ICO’s publications about the breach so far, it seems to me that it could be hard to succeed with an appeal given the scale, and severity of the incident, and how avoidable it appears to be.