Dixons hit with £500,000 fine for stolen customer cards
The UK’S privacy watchdog has fined Dixons Retail £500,000 for a hack that exposed the details of 5.6 million customer payment cards.
An investigation from the Information Commissioner’s Office (ICO) found that a hacker had installed malware on 5,390 tills at Currys PC World and Dixons Travel Stores between July 2017 and April 2018.
It said the hackers had collected personal data for nine months before Dixons detected the attack. Most of the card details stolen included the primary account number and expiry date.
As well as card information, the ICO found that hackers stole the non-financial personal info of around 14 million customers. This included names, email and postal addresses, date of birth and phone numbers.
The ICO concluded that Dixons broke the Data Protection Act 1998 by running a “poor security arrangement and failing to take adequate steps to protect personal data”.
ICO director of investigations Steve Eckersley said: “It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen”.
The £500,000 fine is the maximum the ICO can impose under previous data laws. Had the attack occurred after GDPR became law in May 2018, the watchdog could have fined Dixons up to £18m, or four per cent of its annual global turnover, whichever would have been greater. In Dixons’ case, this could have been £400m based on a worldwide turnover of £10.5bn in 2018. Dixons boss Alex Baldock apologised for the incident, and said it hasn’t found any evidence that customers lost any money as a result, even though 3,300 people had complained. He said the company challenges some of the ICO’S “key findings” and is “considering our grounds for appeal”.