The Information Commissioner’s Office (ICO) has imposed a £500,000 fine on UK retailer DSG Retail Limited after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
Ok, so your company accepts credit cards payments for product sales/service offerings. You value security so you’ve ensured that your website is https (hypertext transfer protocol secure) in order to provide a secured communication over the digital network. But is this enough to safeguard this highly sensitive personal data, which your customers are using in online and offline sales? Have you set up adequate protocols to thwart any malware or hacker attempts? Or do you believe this isn’t something you need to worry explicitly about because… well your site is https. “Secure” is built into the acronym, so what could possibly go wrong? A lot actually, including the possibility of a hefty fine particularly if your clientele are residents within the EU or UK. So we highly implore you to take a detailed look into your company’s safeguards least you find yourself in hot water, much like a UK Retailer, DSG Retail Limited (DSG) who has been fined half a million pounds by the ICO for failing to keep personal information secure.
A January 9, 2020 ICO news article explains that an ICO investigation revealed that an attacker had installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, and had collected personal data for the nine month period before the attack was detected. DSG’s inadequate security systems therefore resulted in unauthorized access of some 5.6 million payment cards details and the personal information of approximately 14 million people, including full names, post codes, email addresses and failed credit checks from internal servers, the ICO further notes.
“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen . . . The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR,” ICO Director of Investigations, Steve Eckersley, is quoted in the news article.
The £500,000 ICO fine was levied under the Data Protection Act 1998 since the breach took place before the GDPR and DPA 2018 came into effect. Security of Processing is covered under article 32 of the GDPR.