Dixons Carphone, based in the UK, has been fined £500,000 (about €589,000)following a cyber attack that compromised the data of approximately 14 million people.
An investigation conducted by the UK’sICO (Information Commissioner’s Office) found malware installed on 5,390 tills between July 2017 and April 2018.
Details of the breach
The criminal hackers collected payment card details of more than 5.6 million customers, and the personal data of more than 14 million people, which included names, postcodes, email addresses and failed credit checks.
The breach occurred because Dixons Carphone failed to secure its systems and protect its customers’ data. Vulnerabilities present included inadequate software patching, failure to use a local firewall and lack of security testing.
Steve Eckersley, the ICO’s director of investigations, said: “Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.
“Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud.
“We recognise that cyber-attacks are becoming more frequent, but organisations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data.”
Protect yourself from attacks
Organisations should test their networks and web applications regularly to identify vulnerabilities and fix them before criminal hackers can exploit them.
Penetration testing involves simulating a malicious attack on an organisation’s information security arrangements, using a combination of methods and tools. It has to be conducted by a certified ethical professional tester (such as CREST-qualified staff), and the findings will provide you with information about your security measures and how you can improve them.
As a CREST member company, we’ve been verified by an independent body attesting that our work will be carried out to a high standard by qualified and knowledgeable individuals.