ICO fines Dixons Carphone for a data breach affecting 14 million customers

Published on Friday, January 10, 2020 - 14:23 by Cameron Troake

The ICO has fined Dixons Carphone £500,000 following a cyberattack which resulted in hackers accessing the personal information of 14 million customers.

This is the second time the organisation has been fined by the regulator. In January 2018, Dixons Carphone was also fined for similar security vulnerabilities which led to a data breach in 2015.

Between July 2017 and April 2018 malware was installed on 5,390 tills at Currys PC World and Dixons Travel Stores, which allowed attackers to collect the personal data of customers over a nine-month period. This resulted in 5.6 million customers having their credit card data stolen.

In total cyber criminals accessed the personal data of 14 million customers, including their full names, postcodes, email addresses, and failed credit checks.

The ICO investigation found Dixons Carphone to have breached the 1998 Data Protection Act by having " poor security arrangements" and" failing to take adequate steps to protect personal data". The oversights include inadequate software patching and an absence of firewalls, as well as an absence of network segregation and regular security testing.

Steve Eckersley, director of investigations at the ICO said: "Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.”

The fine is in line with the legislation prior to the GDPR, as the incident occurred before it came into force in May 2018. However, the ICO has made it clear that the fine would have been much higher if the incident had occurred under GDPR.

The ICO said: "The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR."

This is because the personal data involved in the breach would "significantly affect individuals' privacy", and leave people exposed to identity theft and fraud.

Steve Eckersley continued: "Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud.”

Alex Baldock, CEO of Dixons Carphone, has responded: "We have no confirmed evidence of any customers suffering fraud or financial loss as a result. We are disappointed in some of the ICO's key findings which we have previously challenged and continue to dispute. We're studying their conclusions in detail and considering our grounds for appeal.”

Dixons Carphone says it has since improved its detection and response capabilities and made "significant" investment in its information security. 

Dixons Carphone fined by ICO

Find out more?

Leave your contact details below and one of our expert team will be in touch

We will only use the contact details you supply on the basis of our legitimate interest to respond to your query and contact you about DQM GRC. You will always be given the opportunity to opt-out from future communications. Please read our privacy policy for more details.


Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail

  •   +44 (0)1494 442900
  •   sales@dqmgrc.com