The UK Information Commissioner’s Office has imposed a £500,000 ($654,000) fine on DSG Retail Limited for failing to secure the personal data of approximately 14 million consumers. According to the ICO, poor security arrangements allowed an attacker to install malware on point of sale terminals at 5,390 locations of Currys PC World and Dixons Travel Stores, two retail consumer electronics chains operated by DSG, a UK-based company. The malware went undetected between July 2017 and April 2018, and allowed access to 5.6 million payment card details, and the names, email addresses and credit information of 14 million individuals.
The ICO found that DSG’s failure to take adequate steps to protect consumers’ personal data – including inadequate software patching, lack of a local firewall, network segregation and routine security testing — constituted a breach of the Data Protection Act 1998. The Data Protection Act 2018, which incorporates the provisions of the General Data Protection Regulation (GDPR) and allows higher monetary penalties, was not applicable to DSG’s conduct in this case because it took place before May 2018.