Dixons Carphone has been fined £500,000 after a cyber attack compromised the data of at least 14 million people.
An investigation into the electronics retailer found that an attacker had installed malware on 5,390 tills at its Currys PC World and Dixons Travel Stores between July 2017 and April 2018.
The Information Commissioner’s Office (ICO) said the malware had collected personal data for nine months before it was detected.
In a statement released on Thursday, the ICO said that the company’s failure to secure its system allowed unauthorised access to 5.6 million payment card details used in transactions as well as the personal information of around 14 million people. This included full names, postcodes, email addresses and failed credit check details from internal servers.
Dixons Carphone broke the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data, according to the ICO.
The ICO’s director of investigations Steve Eckersley said that the watchdog found “systemic failures” in the way the company safeguarded personal data.
“It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen,” he said.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
Had the data breach happened after the introduction of GDPR, the ICO would have been able to fine the company a maximum of 4pc of its annual worldwide revenue. In the case of Dixon’s the figure could have reached around £400m.
The gaps in DSG’s systems left customers vulnerable to theft and identify fraud. A total of 158 complaints were made between June and November of 2018. By March 2019 3,300 complaints had been made.
“We recognise that cyber-attacks are becoming more frequent, but organisations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data,” Mr Eckersley said.
Dixons Carphone chief executive Alex Baldock apologised for the breach but said that there was no “confirmed evidence” of customers suffering fraud or financial loss.
“When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident,” Mr Baldock said.
“We duly notified regulators and the police and communicated with all our customers.”
Mr Baldock also said that the company was reviewing the ICO’s conclusions and considering an appeal.
“We are disappointed in some of the ICO’s key findings which we have previously challenged and continue to dispute,” he said.
The ICO fined Carphone Warehouse £400,000, part of the same company group, last January for similar security vulnerabilities.