Maximum fine under old legislation
9 January 2020
Dixons Carphone, the group that owns the brands including PC World and Carphone Warehouse, has been fined £500,000; the maximum possible under the old Data Protection Act, 1998.
The data breach was discovered in summer 2019 and involved the installation of malware on over 5,000 tills in branches of Currys PC World and the Dixons Travel chains. The breach of personal data security affected at least 14 million customers of the chain.
Under the new GDPR legislation, introduced on 25 May 2018, the maximum fine could have been up to 4% of the Group's global turnover and therefore far higher than £500,000. Recent fines of over £100m have been levied on British Airways and the Marriot Hotel Group.
According to the ICO decision notice, the breach occurred was made possible due to:
- failure to comply with PCI-DSS, the security standards of the payment card schemes used by organisations that handle payment card data
- failure to follow Microsoft guidance on patching vulnerabilities, system configuration and the use of firewalls
- a reliance on outdated software such as the use of eight-year old software in POS terminals
Also Dixons had not acted on an information security consultancy report in May 2017 that highlighted some of these issues.