The data breach that affected Dixons Carphone this week could have been even more expensive than expected.
Although the company is set to be fined by the ICO after a data breach left customer data exposed to hackers, the impact could have been even greater due to the new GDPR.
The retailer revealed yesterday that it had suffered a data breach that saw over 5.9 million customer debit and credit cards exposed, along with 1.2m personal data records, including names, addresses and email addresses.
However the attack took place in July 2017, meaning that it will be investigated under the previous Data Protection Act. This may still be an expensive mistake though, as the law says that Dixons Carphone could be fined up to £500,000.
Had this event occurred past the May 25th GDPR deadline, it would have fallen foul of the new legislation, meaning the company could have been fined up to £17.6m (€20m), or four per cent of its global turnover, for a major data breach.
Dixons Carphone reported revenues of £10.5bn in 2017, meaning a GDPR fine could have reached as high as £420m.
Dixons Carphone is now set to be investigated by the ICO, FCA and NCSC, meaning further punishment may still be forthcoming.
An ICO spokesman said that the investigation was at an early stage, adding, “We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”
“As the first major data breach to hit headlines since GDPR was enforced last month, there will be many companies keeping a watchful eye over how this is handled," noted Ross Brewer, VP and MD EMEA, LogRhythm.
“Reputations can be rebuilt, but not a lot of businesses can say they won’t be impacted by a significant fall in shares and a huge GDPR fine – even one as big as Dixons Carphone."