<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Dixons Fined £500,000 for Data Breach of 5.6m Payment Cards

Topics: Data Protection, Data Breach, Data Security

Posted: 13 January 2020


Every few months or so, there is a breach penalty which stands out among others. In this instance, it is the Dixons Carphone, which has been the recipient of a £500,000 fine in response to exposing the details of 5.6 million payment cards.

The UK's Information Commissioner’s Office (ICO) has decided to level the highest possible penalty in accordance with the Data Protection Act 1998. Which is applicable in this case due to the breach taking place between July 2017 and April 2018, when it was finally reported.

The ICO reports that during time, 5,390 ePOS systems at their Curries PC World and Dixon Travel stores were compromised via a central management system, exposing over five million payment cards from the UK and EU.

[You may also be interested to read "Data Breaches and the GDPR - 1 Year Later"]

14 Million Data Subjects Affected


If this wasn’t bad enough, Dixons Carphone disclosed that in addition, up to ten million non-financial records had been compromised, including personal data such as name, postal address, phone numbers, email address, date of birth and even credit check information. And, to top it all off 73 percent of a database housing up to 4.7 million records.

Altogether, it is estimated to have affected 14 million data subjects.

The ICO's damning report into the breach has described Dixon Carphone as a “poor security arrangement and failing to take adequate steps to protect personal data”. As a result, it is in breach of the Data Protection Act 1998 and was hit with the maximum penalty available under the since superseded legislation.

Had this taken place just one year later, Dixons Carphone could be looking down the barrel of the General Data Protection Regulation (GDPR), which has a maximum penalty of 20 million EUR or 4% of annual global revenue from the previous financial year.

You would be forgiven for thinking that this is a close-shave and a wake-up call for Dixon Carphone, which is surely likely to want to avoid action again. However, this is not the first time that Dixon Carphone, or specifically its predecessor, Carphone Warehouse have found themselves in a data protection pickle.

In 2015, Carphone Warehouse was a victim of a “sophisticated cyber-attack”, which resulted in the breach of 2.5 million customer records, of which 90,000 were expected to contain credit card information. This resulted in a £400,000 penalty under the Data Protection Act 1998.


Personal Data Has Become More Valuable Than Financial


In today's world, it is pseudo accepted that personal data is more value than credit card information. While your credit card details can be changed - your personal data, generally cannot. In addition, personal data fraud has great scope for abuse, allowing fraudsters to apply for loans, purchase mobile phone contracts and conduct a damaging identity theft rampage.

As a result of the ICOs investigation and penalty, Dixons Carphone has reported that they have upgraded their detection and response systems. And, while we do not know the specifics of the “upgrade” we can speculate that solutions such as file integrity monitoring solutions may have helped. In fact, such solutions are required by compliance frameworks such as the Payment Card Industry Data Security Standard (PCI-DSS), for this very purpose. Of which the Dixons Carphone ePOS and payment systems presumably would have been in-scope for.

Could Dixon Carphone also be subject to a PCI-DSS investigation? We will have to wait and see…

[You may also like "UK's Top 4 Regulations Overlap"]


Data Protection for Life GDPR Data Processing

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts