UK Retailer fined half a million pounds due to poor security safeguards

ICO fine

The Information Commissioner’s Office (ICO) has imposed a £500,000 fine on UK retailer DSG Retail Limited after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.

Ok, so your company accepts credit cards payments for product sales/service offerings. You value security so youve ensured that your website is https (hypertext transfer protocol secure) in order to provide a secured communication over the digital network. But is this enough to safeguard this highly sensitive personal data, which your customers are using in online and offline sales? Have you set up adequate protocols to thwart any malware or hacker attempts? Or do you believe this isnt something you need to worry explicitly about because… well your site is https. “Secure” is built into the acronym, so what could possibly go wrong? A lot actually, including the possibility of a hefty fine particularly if your clientele are residents within the EU or UK. So we highly implore you to take a detailed look into your companys safeguards least you find yourself in hot water, much like a UK Retailer, DSG Retail Limited (DSG) who has been fined half a million pounds by the ICO for failing to keep personal information secure.

A January 9, 2020 ICO news article explains that  an ICO investigation revealed that an attacker had installed malware on 5,390 tills at DSGs Currys PC World and Dixons Travel stores between July 2017 and April 2018, and had collected personal data for the nine month period before the attack was detected. DSGs inadequate security systems therefore resulted in unauthorized access of some 5.6 million payment cards details and the personal information of approximately 14 million people, including full names, post codes, email addresses and failed credit checks from internal servers, the ICO further notes.

Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen . . . The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR,ICO Director of Investigations, Steve Eckersley, is quoted in the news article.

The £500,000 ICO fine was levied under the Data Protection Act 1998 since the breach took place before the GDPR and DPA 2018 came into effect. Security of Processing is covered under article 32 of the GDPR.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and UK Data Protection Act? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.  We can help your company get on track towards full compliance. Contact us today.

Leave a Comment

(0 Comments)

Your email address will not be published. Required fields are marked *