ICO issues maximum fine against retailer for data security breaches

Insight

03.02.2020

The Information Commissioner's Office (ICO) has fined DSG Retail Limited (“DSG”), better known as Curry’s PC World and Dixons Travel, £500,000 for a series of data security failings. The detailed findings are valuable in setting out the ICO’s view of what is an acceptable level of security, bearing in mind the nature and volume of data in issue, the size and profile of the organisation using it and the costs associated with taking protective measures.

A more detailed analysis is set out below. However, the main take-aways are as follows:

The fine was the maximum under pre-GDPR levels - £500,000. As the ICO statement accompanying the fine explained, it would have been much higher under GDPR;
The detailed security failings are well worth a review by anyone responsible for data security as they set out what are acceptable approaches to security taking account of the state of the art, the risks involved and cost;
The ICO also had regard to PCI-DSS security standards, which will be of particular relevance to any retailer processing card payments.

Background

The breach related to Point of Sale (POS) terminals where payments were taken from customers’ cards in DSG’s stores. The attackers used malware to access the systems and collect the data. Breaches occurred over a nine-month period between July 2017 and April 2018, so just before the EU General Data Protection Regulation (“GDPR”) took effect in May 2018. Under GDPR the fines could have totalled up to €20 million or 4 per cent of the global turnover of DSG.

The breach affected at least 14 million individuals. It included 5,646,417 million payment card details (approximately 53,000 of which were of individuals from outside the EU) as well as physical and email addresses, phone numbers, dates of birth and failed credit checks. The ICO received 158 complaints and DSG say they have received nearly 3,300 customer complaints. The ICO found that 85 cards had potentially been subject to fraudulent use as a result of the breach.

ICO’s findings

The ICO issued a Monetary Penalty Notice (“MPN”) on 10 January 2020, setting out in detail its reasons for issuing the maximum fine of £500,000.

In the MPN, the ICO described the failings by DSG as relating to basic, commonplace security measures. In the ICO’s words there was, “plainly a multi-faceted contravention of the seventh data protection principle (the requirement to keep data secure)” which was, “particularly serious”. The ICO also noted that a retailer of the scale of DSG would be expected by the public to lead by example in the area of data security.

An aggravating factor was that in January 2018 the ICO had issued a £400,000 for similar security failings against Carphone Warehouse, a related company in the same Group as DSG.

The detailed security failings are well worth a review by anyone responsible in your organisation for data security. In particular, they included:

Failure to fully follow Microsoft guidance from 2014 on software patching of a known vulnerability. The ICO also noted that its subsequent investigation found other multiple failures in the same area of software patching;
Absence of local firewalls;
Lack of network segregation;
Too easy access to the status of privileged account manager on DSG’s systems;
Lack of routine penetration and security tests which would have identified the issues much earlier or even prevented the breach in the first place;
An ineffective system to log security incidents and respond to them;
Use of outdated software which was vulnerable to attack.

The ICO also took into account the security standards developed by card schemes, or PCI-DSS, which apply to businesses who process card payments. In particular, the ICO found that encryption technology recommended by PCI-DSS standards, although expensive, should have been used by DSG given the nature and volume of data being processed. This emphasises that organisations need to keep abreast of developments in data security and assess whether they should be implemented, even if they are expensive.

In determining that substantial distress to affected individuals was likely to arise from the breach, the ICO took into account, amongst other things, a statement issued by DSG’ Chief Executive to customers acknowledging the “upset” caused.

The ICO also implicitly criticised how DSG responded to the incident, noting that the offer of credit monitoring to customers was only taken up by twenty-five individuals, and questioning the extent to which this service was effectively communicated by DSG and tailored to its customers’ needs rather than being just being an “industry standard approach”.

DSG has issued a statement saying that they dispute some of the ICO’s findings and are considering grounds to appeal. There are indications in the MPN that this might relate to the ICO’s detailed findings on security standards, as well as what counts as personal data - DSG argued that Primary Account Number (PAN) data (identifying which bank the card belongs to) is not personal data and so could not be used to identify an individual. This was rejected by the ICO. These issues might also be further explored in any civil claims for compensation brought on behalf of affected individuals.

If you require further information about anything covered in this briefing, please contact Ian De Freitas, Thomas Rudkin or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.