Tag: data privacy

DSG Retail Fine - Lessons to Learn

DSG Retail Fine: Lessons to Learn

The ICO’s decision to issue DSG Retail Ltd with the maximum penalty possible highlights how seriously they take data security and what factors influence their decisions.

The ICO’s decision to issue a £500,000 penalty notice against DSG Retail Ltd, under the old data protection act should serve as a warning shot across the bows of the industry. DSG, meanwhile, should be heaving a sigh of relief that the breach happened just before GDPR came into force.

What happened?

The scale of the fine comes thanks to a litany of errors which on their own could have constituted a breach, but taken together amounted to a serious and multifaceted breach of the data protection act.

It started in May 2017 when an assessment of DSG’s point of sale payment terminals across their stores in Curry’s PC World and Dixons Travel found that they were not compliant with PCI DSS standards. Even so, DSG were slow to make changes.

Almost a year later, they discovered that the payment terminals had been compromised. Over the course of night months, a cyber attacker had taken control of a number of domain administrator accounts and installed malware onto the POS system. This accessed payment card details of around 5.6 million customers, although an investigation later found that only a total of 85 cards had been potentially used fraudulently.

The fraudsters had also accessed non financial data belonging to about 14 million customers including credit checks, contact details and failed credit checks. The company was inundated with nearly 3,300 customer complaints about the breach and the regulator received 158 complaints.

  • The ICO’s investigations listed numerous systemic failures including
  • Lack of firewall on the POS terminals
  • Inadequate patching of software
  • A poor response system
  • Insufficient network segregation
  • Mismanagement of the application white listing

These amounted to multiple breaches of the Data Protection Act, but a number of aggravating factors made this even worse. The firm were already aware of the vulnerabilities but failed to take action quickly enough. They took a whole nine months to identify the breach and that Carphone Warehouse which belongs to the same group as DSG had previously been fined £400,000 for the same breach.

The regulator also took into account the volume of the data and the resources that the retailer should have had at their disposal. The scale of the operation and the nature of the breach had the potential to cause significant distress to customers.

Moreover as a major retailer, handling large quantities of sensitive customer data, DSG, should have been able to lead by example. They had plenty of resources at their disposal and should have been able to offer better protection to their customers.

The only mitigating factor is that DSG had taken steps to notify its customers and cooperated with investigators. Even so the regulator deemed the maximum penalty appropriate.

Lessons to be learned

The scale of this fine, should serve as a warning about how serious the ICO is taking data security. Had the breach occurred under GDPR the fine could have potentially been in the millions. It shows the factors the regulator takes into account when deciding including the volume of the data exposed, the nature of the breach, resources of the firm and how the company responded to known breaches.

It’s a reminder for businesses to maintain and proactively monitor their security systems and any deficiencies should be fixed as soon as possible. Cyber crime is becoming so widespread that if a company does identify a weakness, there’s a very good chance an attack will come sooner or later. While firms might be reluctant to spend the time and money fixing issues, if they don’t they run a high risk of finding themselves before the ISO and, with GDPR in full swing, the consequences could be catastrophic.

Was EasyJet Responsible for the Recent Data Breach?

Were EasyJet Responsible for the Recent Data Breach?

Has EasyJet mishandled customer data? Were they responsible for the recent data breach? Could they have done more to prevent a cyber-attack?

These are all questions being asked, among many others.

With an annual global turnover in the region of £6.4 billion in 2019, the airline company is facing a potentially very heavy fine from the Information Commissioner’s Office (ICO) relating to the breach, under General Data Protection Regulation (GDPR). This will not include compensation payouts to affected customers if negligence on the part of EasyJet is proven, which could reach up to £3 billion.

EasyJet has said the breach was due to a:

“highly sophisticated cyber-attack.”


Around nine million customers have been affected with email addresses and travel itineraries stolen. Furthermore, 2,208 customers who stored their debit and credit card details within their profiles on the EasyJet website, have had them stolen.

Why are we only finding out about this now when EasyJet was first alerted to the attack in January 2020?

Good question.

EasyJet has claimed it was only able to inform those customers whose card details were stolen in early April 2020.

When questioned by the BBC as to why it took so long to notify customers, EasyJet stated,

“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted.”


They added,

“We could only inform customers once the investigation had progressed enough that we were able to identify whether any individuals had been affected. Then, who had been impacted and what information had been accessed.”


It turns out that even the secure CVV digits (the three verification numbers on the back of cards) of those 2,208 customers had been accessed.

EasyJet has warned all affected customers that their email addresses had been stolen during the cyber-attack and has advised them to be aware of potential phishing attempts. No details on the exact nature of the attack have been provided by the airline company, however, it confirmed the investigation is ongoing and believes the attackers were targeting the airline’s intellectual property. It didn’t believe they were stealing data to use in identity fraud. EasyJet maintains its stance that it does not think that any of the nine million customers’ personal data has been misappropriated and has further advised that it has been acting under the recommendations of the ICO.

Until the ICO has completed its investigation, EasyJet faces a more pressing issue. The law firm, PGMBM has issued a class-action claim against the airline which could mean a possible liability of more than £18 billion. PGMBM has filed the claim in the High Court of London on customers’ behalves. One of the reasons for this lawsuit is the fact that it took EasyJet four months to inform customers of the breach, even though it had informed the ICO earlier than this.

The British Airways cyber-attack and subsequent data breach in 2018 should have been a warning to all airline companies. Unfortunately, passenger trust is extremely low during the current crisis and this breach has most certainly not helped that.

The ICO is still investigating the data breach. It said that the general public has a right to expect companies to maintain their personal data in a secure and responsible manner and where that does not occur, it will “take robust action”. Due to the coronavirus pandemic though, they may need to be more lenient in regard to the EasyJet data breach, considering how badly the airline industry has been affected. They must, nevertheless, act adequately because they have been deemed as having not done enough around GDPR enforcement.

What can we learn from the EasyJet fine?

Keeping on top of data protection under the GDPR rules has never been more important. These turbulent times we are experiencing have meant significantly increased cyber-attack attempts and a growing number of cyber criminals with the majority trying to access stored personal information and intellectual property. If your own business does not have data control protocols in place, it is high time to plan and implement them – without delay.

Final thoughts

EasyJet has advised affected customers that they should be weary of any messages claiming to come from either EasyJet Holidays or EasyJet itself. Regrettably, the COVID-19 pandemic has brought with it an increase in the occurrence of phishing attempts and Google is purportedly blocking over 100 million attempts each and every day. This does not include those phishing emails that manage to slip through the net, so the public needs to be more alert than ever to these potential threats.

No doubt, the trust of most airline customers has been significantly affected and organisations will need to work hard in gaining it back. EasyJet, especially, will need to clarify why it took so long to publicly announce the cyber-attack. Yes, it has been working with the ICO to handle the issue, however its customers’ data was still out there, without them knowing, for months. Perhaps the fact that EasyJet has been liaising with the ICO and NCSC will reduce the impending GDPR fines, but still, a cyber-attack occurred and the customers whose personal data was stolen should have been notified sooner in order to take appropriate safeguarding action.

Waymark Blog 17.09.19

Regulators Demand Answers from Cryptocurrencies Over Data Use

Despite a few bumps along the way, cryptocurrencies and the blockchain have been taking the world by storm. However, they store up all sorts of worries about data privacy.

In August, the ICO joined global regulators from the US, Canada, EU and Australia in expressing concerns about Facebook’s Cryptocurrency Libra. You can find an excellent detailed analysis on the Global Regulatory platform from data privacy lawyer Shiv Daddar.

In essence, though, regulators are concerned about two things: a lack of clarity so far about how the data will be processed and the involvement of Facebook itself whose own record with data is less than squeaky clean.

“To date, while Facebook and Calibra have made broad public statements about privacy, they have failed to specifically address the information-handling practices that will be in place to secure and protect personal information,” says the statement.

The regulators issued a list of questions which they would like answered, such as how customers will be profiled and shared among the 28 founding members of Libra.

Ultimately, though, this statement is about trust or the lack of it. Regulators are concerned about the role of firms who may play fast and loose with personal data and the nature of the technology itself.

Cryptocurrencies and the blockchain are still presenting a bit of a puzzle for regulators. On the one hand they recognise its potential and want to give innovation space to breathe, but on the other the technology itself gives real cause for concern.

For example, data stored on the blockchain is immutable. In theory, this makes it more secure, but it’s also difficult to satisfy regulatory demands to allow customers to have their data changed or deleted.

However, as this letter demonstrates, it’s also the identify of the data controller which will also attract scrutiny. Facebook’s track record as a reliable data processor is patchy to say the least.

It was fined $5bn by regulators for its role in the Cambridge Analytica scandal and could face billions more. The EU is currently handling a total of 11 separate investigations which, taken together, could inflict fines on the scale that might make even a giant such as Facebook wince.

Understandably, then, the mere fact of Facebook’s involvement is a red flag for regulators. It’s a bit like a football player who has a reputation for diving. Once referees have that in their mind, they will be less likely to give a foul.

This is an issue of trust. Technology needs to comply with regulatory obligations and be shown to comply. This is particularly tricky because regulations can change which means compliance must be an ongoing process.

Any organisation handling the data needs to be whiter than white, not only to please the regulators but to reassure a public which is becoming increasingly concerned about how its data is being used. Once an organisation gets a track record for bad behaviour, it’s very difficult to turn things around.

Powered by WordPress & Theme by Anders Norén