The Information Commissioner’s Office (‘ICO’) has fined Dixons Carphone £500,000 for failing to secure the personal data of 14 million customers extracted from a point of sale (‘POS’) system which was compromised as part of a cyber-attack.

This comes just two years after Carphone Warehouse were fined £400,000 in January 2018 for compromising the security of its customer data at that time.

In order to execute the attack, malware was installed on 5,390 tills at various Currys PC World and Dixons Travel stores from July 2017 to April 2018 effectively enabling unauthorised access and collection of customers’ personal data. The personal data consisted of full names, postcodes, email addresses, card details and failed credit checks from internal servers.

The ICO has found that DSG Retail Limited has breached the Data Protection Act 1998. In particular, the ICO found that the retailer had poor security arrangements and failed to take adequate steps to protect personal data. The retailer displayed security vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.

This announcement serves as a further reminder that the ICO will take action where they find that businesses do not have sufficient systems and processes in place to protect personal data     .

If you are concerned about your company’s compliance with the GDPR, speak to one of our experts.