Cybersecurity Virus

Dixons Carphone data breach fine issued by ICO

Sign-up to one of our many Group Actions today - use our quick and easy form to start your claim for compensation.

Begin Your Group Action Claim Today
Please note we are unable to proceed with claims involving BMW, Dacia, Ford, Honda, MINI, Mercedes-Benz & Mitsubishi.
The deadline for claims for EA189 engines passed in 2018, and claims settled in 2022. We are unable to take any claims on for vehicles with EA189 engines. We are able to take on claims for newer engine types that are NOT EA189 engines.
Our claims team will call you back at a time that's suitable to you.
Your privacy is extremely important to us.
Information on how we handle your data is in our Privacy Policy
solicitors regulation authority

Dixons Carphone data breach fine issued by ICO

The Information Commissioner’s Office (ICO) has issued their Dixons Carphone data breach fine, and the amount is the maximum penalty available under the old rules.

This was a sustained cyberattack that lasted between July 2017 and April 2018, meaning that it has been dealt with in accordance with the Data Protection Act 1998. The GDPR that could have allowed fines to be up to 4% of a company’s global annual turnover came into effect in May 2018; just weeks after the breach period ended. Had the breach period have lasted longer, a far greater penalty could have been issued. We have seen this with the provisional £183m issued for the British Airways data breach.

We are representing people who are claiming compensation from Dixons Carphone (DSG Retail Ltd) as one of the dozens of data breach group and multi-party actions that our lawyers are fighting for justice in.

Impact of the Dixons Carphone data breach fine

The impact of the Dixons Carphone data breach fine has been substantial. This is the maximum penalty that the regulator has been able to issue in the case, which reflects their view on how serious the breach was.

Some 14 million people had their personal data exposed. Included in this was the exposure of the details for around 5.6 million payment cards, which can put victims at an immediate risk of serious crimes like fraud and identity theft. Ultimately, this was a sustained attack that has affected a huge number of people, and it may well have been avoidable.

Speaking about the fine and the investigation, the ICO’s Director of Investigations, Steve Eckersley, has said:

“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.

The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

Is the fine justified?

The Dixons Carphone data breach fine has been levied at the highest amount that it can be. This can only mean that the ICO see this as a very serious data breach, and on the face of what they have published, the amount of the fine appears to be justified.

They have cited inadequate security arrangements with vulnerabilities caused by a failure to patch software; inadequate network segregation; and no local firewalls in use. It is also understood that they had not been properly testing their security.

These are all simple things that can allow for data to be properly protected. When they are not in place, you are leaving an open goal opportunity for hackers to exploit, and criminals will go for the easier targets. They managed to get away with stealing data for around nine months, which goes to show just how bad their security practises where.

Appeal

It is understood that the Dixons Carphone data breach fine could be appealed, with the Chief Executive for the company reportedly saying that he is “disappointed” with some of the ICO’s findings.

This could lead to a reduction in the level of the fine. However, given the ICO’s publications about the breach so far, it seems to me that it could be hard to succeed with an appeal given the scale, and severity of the incident, and how avoidable it appears to be.

The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.