Dixons Carphone is staring down the barrel of a £500,000 (about $650,000) fine by the Information Commissioner’s Office over an incident of compromised data that affected over 14 million customers, according to published reports Thursday (Jan. 9).
The ICO said that they found an attacker had installed malware on 5,390 tills at Currys PC World and Dixon Travel stores. The malware was able to collect data from people for nine months before it was detected, between July 2017 and April 2018.
Steve Eckersley, ICO’s director of investigations, said in a statement to the Financial Times that there were “systemic failures” in the way that Dixons handled peoples’ personal data.
He said it was “very concerning” that the failures were related to what should’ve been “basic, commonplace security measures.”
And, he said, Dixons had shown “complete disregard” for the customers whose data had been stolen. Because of the seriousness of the breach, ICO decided to impose the maximum possible penalty under the previous legislation.
The penalty, though, would’ve been larger, had it occurred after the EU General Data Protection Regulation was passed in May 2018.
Due to the breach, 5.6 million payment card details were given to the hackers, and personal information of 14 million people including full names, postcodes, email addresses and failed credit checks, all from internal servers.
In response to the ICO’s finding, Dixons said that there was no evidence fraud had occurred as a result of the breach. It pledged to amp up its cybersecurity investments. And, it said, the number of cards compromised was much smaller than reported because many had been “chip and PIN” cards that were more secure.
Dixons said it would consider appealing the penalty and were “disappointed” by the ICO’s findings — though its spokesman did not say what would be appealed.
The ICO acknowledged that Dixons had cooperated fully with its investigation and had contacted over 25 million people who may have been affected, implementing additional security.
But the ICO ultimately said that it couldn’t see a justification for what it called “the extent of these systemic inadequacies.”