Dixons Carphone slapped with maximum possible fine after 14m customers’ data stolen
Dixons Carphone has been slapped with a £500,000 fine by the Information Commissioners Office (ICO) after 14 million customers were affected in a cyber-attack.
The ICO has issued the maximum possible fine on the technology retailer after an investigation uncovered “serious contraventions” that jeopardised millions of customers personal and financial details.
Hackers installed rogue software on 5390 tills of branches in Currys PC World and Dixons Travel chains which went undetected for over nine months between July 2017 and April 2018.
During this time the details of 14 million customers, including full names, postcodes, email addresses and failed credit checks.
A further 5.6 million customers credit card detail were also obtained by hackers before the retailer eventually detected the software last summer.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR,” ICO’s director of investigations Steve Eckersley.
Under GDPR laws, which were brought in May 2018 after the attack happened, ICO is able to fine companies up to four per cent of their annual global turnover.
In 2018 Dixons Carphone reported revenues of £10.4 billion, meaning under new rules it could have been fined over £400 million,
The ICO said it uncovered major “systematic failures” in the way the retailer looked after its customer data, including vulnerabilities such as inadequate software patching and security testing.
“Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” Eckersley added.
Dixons Carphone’s chief executive Alex Baldock added: “We are very sorry for any inconvenience this historic incident caused to our customers.
“When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers.”
Last year ICO also fined Carphone Warehouse £400,000 for having major security flaws which lead to a data breach.