The Information Commissioner's Office (ICO) has fined Dixons Retail for poor security that lead to a data breach and the theft of financial data of millions of customers.
The retailer should count itself lucky the breach happened just before GDPR went into force, otherwise the fine would probably have been much, much higher. Instead, the ICO fined Dixons according to the Data Protection Act from 1998, for just over $650,000.
In the ruling, the ICO said Dixons ran a “poor security arrangement and failed to take adequate steps to protect personal data”, including poor software patching practices, not having a local firewall, not segregating the network and failing to routinely test it for security issues.
“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data,” said ICO director of investigations Steve Eckersley. “It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.”
A hacker managed to take advantage of Dixon’s poor security practices and install a malware on thousands of point of sale tills. The ICO says it’s impossible to know exactly how many people were compromised, but suspects roughly 14 million “data subjects”.
While some have had non-financial information stolen, such as names, addresses, phone numbers), others have had their credit card information taken.