The Information Commissioner’s Office (ICO) has fined DSG Retail Limited £500,000 under the Data Protection Act 1998 following a data breach which affected 14 million customers.
The fine is the maximum amount which can be issued to an organisation, as the breach occurred before the introduction of the General Data Protection Regulation (GDPR).
The data breach affected Currys PC World and Dixons Travel stores between July 2017 and April 2018, with hackers gathering date which included customer names, postcodes, email addresses and failed credit checks from internal servers.
Steve Eckersley, Director of Investigations at the ICO, said:
“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
The ICO investigation claimed that the breach exposed those customers whose data was stolen, to significant risk of identity fraud and financial theft. The investigation also revealed that almost 3,300 of the vulnerable customers contacted the ICO by March 2019.
DSG Retail Limited aren’t too pleased with the action and are considering launching an appeal.
Alex Baldock, CEO of DSG Retail Limited, issued a statement, which read:
“When we found the unauthorised access to our data, we promptly launched an investigation, added extra security measure and contained the incident.
“We duly notified regulators and the police and communicated with all of our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”