Dixons Carphone fined £500,000 over serious data breach that put 14 million customers at risk

Dixons Carphone has been issued a fine of £500,000 after its point of sale system was breached by hackers, putting millions of customers at risk.
By Claire Schofield
Published 13th Jan 2020, 11:29 BST
Updated 13th Jan 2020, 11:29 BST
Watch more of our videos on Shots! 
and live on Freeview channel 276
Visit Shots! now

The parent company of PC World has been ordered to pay the fine by the Information Commissioner’s Office (ICO) after it was found the cyber-attack compromised the personal information of around 14 million people.

Unauthorised access

The probe by the ICO found that malicious malware was installed in 5,390 tills at the company’s Currys PC World and Dixons Travel stores.

The data breach compromised the personal information of around 14 million people (Photo: Shutterstock)The data breach compromised the personal information of around 14 million people (Photo: Shutterstock)
The data breach compromised the personal information of around 14 million people (Photo: Shutterstock)
Hide Ad
Hide Ad

The breach allowed hackers unauthorised access to the details of 5.6 million payment cards used over a nine-month period between July 2017 and April 2018, when the cyber-attack was finally detected.

Hackers were able to access personal information of approximately 14 million customers, including names, postcodes, email addresses and information relating to failed credit checks.

The company could have been faced with a bigger fine under new General Data Protection Regulation (GDPR) rules, with fines now allowed to be up to £17 million for a significant breach, although the rules only came into effect after the breach started.

Failure to protect customers

The ICO found that malicious malware was installed in 5,390 tills at the company's storesThe ICO found that malicious malware was installed in 5,390 tills at the company's stores
The ICO found that malicious malware was installed in 5,390 tills at the company's stores

The company was criticised by the ICO for its careless security arrangements and failure to protect the data of its customers, which saw it fall foul of data protection laws.

Hide Ad
Hide Ad

Among the issues were failures to update software to get rid of dangerous bugs, and failures to carry out proper security testing. The company was also issued a fine of £400,000 by the ICO in January 2018 over a separate cyber-attack in 2016.

This incident also occurred prior to the new GDPR rules coming into force in May 2018, meaning the case fell under the Data Protection Act 1998. Under this law, the maximum fine it could be issued was £500,000.

In a statement, Dixons Carphone chief executive Alex Baldock said, “We are very sorry for any inconvenience this historic incident caused to our customers.

“When we found the unauthorised access to the data, we promptly launched an investigation, added extra security measures and contained the incident.

Hide Ad
Hide Ad

“We duly notified regulators and the police and communicated with all our customers.

“We have no confirmed evidence of any customers suffering fraud or financial loss as a result.

“We have upgraded our detection and response capabilities and, as the ICO acknowledges, we have made significant investment and security systems and processes.”

Related topics:Dixons CarphoneCurrys