The ICO’s decision to issue DSG Retail Ltd with the maximum penalty possible highlights how seriously they take data security and what factors influence their decisions.
The ICO’s decision to issue a £500,000 penalty notice against DSG Retail Ltd, under the old data protection act should serve as a warning shot across the bows of the industry. DSG, meanwhile, should be heaving a sigh of relief that the breach happened just before GDPR came into force.
The scale of the fine comes thanks to a litany of errors which on their own could have constituted a breach, but taken together amounted to a serious and multifaceted breach of the data protection act.
It started in May 2017 when an assessment of DSG’s point of sale payment terminals across their stores in Curry’s PC World and Dixons Travel found that they were not compliant with PCI DSS standards. Even so, DSG were slow to make changes.
Almost a year later, they discovered that the payment terminals had been compromised. Over the course of night months, a cyber attacker had taken control of a number of domain administrator accounts and installed malware onto the POS system. This accessed payment card details of around 5.6 million customers, although an investigation later found that only a total of 85 cards had been potentially used fraudulently.
The fraudsters had also accessed non financial data belonging to about 14 million customers including credit checks, contact details and failed credit checks. The company was inundated with nearly 3,300 customer complaints about the breach and the regulator received 158 complaints.
- The ICO’s investigations listed numerous systemic failures including
- Lack of firewall on the POS terminals
- Inadequate patching of software
- A poor response system
- Insufficient network segregation
- Mismanagement of the application white listing
These amounted to multiple breaches of the Data Protection Act, but a number of aggravating factors made this even worse. The firm were already aware of the vulnerabilities but failed to take action quickly enough. They took a whole nine months to identify the breach and that Carphone Warehouse which belongs to the same group as DSG had previously been fined £400,000 for the same breach.
The regulator also took into account the volume of the data and the resources that the retailer should have had at their disposal. The scale of the operation and the nature of the breach had the potential to cause significant distress to customers.
Moreover as a major retailer, handling large quantities of sensitive customer data, DSG, should have been able to lead by example. They had plenty of resources at their disposal and should have been able to offer better protection to their customers.
The only mitigating factor is that DSG had taken steps to notify its customers and cooperated with investigators. Even so the regulator deemed the maximum penalty appropriate.
Lessons to be learned
The scale of this fine, should serve as a warning about how serious the ICO is taking data security. Had the breach occurred under GDPR the fine could have potentially been in the millions. It shows the factors the regulator takes into account when deciding including the volume of the data exposed, the nature of the breach, resources of the firm and how the company responded to known breaches.
It’s a reminder for businesses to maintain and proactively monitor their security systems and any deficiencies should be fixed as soon as possible. Cyber crime is becoming so widespread that if a company does identify a weakness, there’s a very good chance an attack will come sooner or later. While firms might be reluctant to spend the time and money fixing issues, if they don’t they run a high risk of finding themselves before the ISO and, with GDPR in full swing, the consequences could be catastrophic.