Every few months or so, there is a breach penalty which stands out among others. In this instance, it is the Dixons Carphone, which has been the recipient of a £500,000 fine in response to exposing the details of 5.6 million payment cards.
The UK's Information Commissioner’s Office (ICO) has decided to level the highest possible penalty in accordance with the Data Protection Act 1998. Which is applicable in this case due to the breach taking place between July 2017 and April 2018, when it was finally reported.
The ICO reports that during time, 5,390 ePOS systems at their Curries PC World and Dixon Travel stores were compromised via a central management system, exposing over five million payment cards from the UK and EU.
[You may also be interested to read "Data Breaches and the GDPR - 1 Year Later"]
14 Million Data Subjects Affected
If this wasn’t bad enough, Dixons Carphone disclosed that in addition, up to ten million non-financial records had been compromised, including personal data such as name, postal address, phone numbers, email address, date of birth and even credit check information. And, to top it all off 73 percent of a database housing up to 4.7 million records.
Altogether, it is estimated to have affected 14 million data subjects.
The ICO's damning report into the breach has described Dixon Carphone as a “poor security arrangement and failing to take adequate steps to protect personal data”. As a result, it is in breach of the Data Protection Act 1998 and was hit with the maximum penalty available under the since superseded legislation.
Had this taken place just one year later, Dixons Carphone could be looking down the barrel of the General Data Protection Regulation (GDPR), which has a maximum penalty of 20 million EUR or 4% of annual global revenue from the previous financial year.
You would be forgiven for thinking that this is a close-shave and a wake-up call for Dixon Carphone, which is surely likely to want to avoid action again. However, this is not the first time that Dixon Carphone, or specifically its predecessor, Carphone Warehouse have found themselves in a data protection pickle.
In 2015, Carphone Warehouse was a victim of a “sophisticated cyber-attack”, which resulted in the breach of 2.5 million customer records, of which 90,000 were expected to contain credit card information. This resulted in a £400,000 penalty under the Data Protection Act 1998.
Personal Data Has Become More Valuable Than Financial
In today's world, it is pseudo accepted that personal data is more value than credit card information. While your credit card details can be changed - your personal data, generally cannot. In addition, personal data fraud has great scope for abuse, allowing fraudsters to apply for loans, purchase mobile phone contracts and conduct a damaging identity theft rampage.
As a result of the ICOs investigation and penalty, Dixons Carphone has reported that they have upgraded their detection and response systems. And, while we do not know the specifics of the “upgrade” we can speculate that solutions such as file integrity monitoring solutions may have helped. In fact, such solutions are required by compliance frameworks such as the Payment Card Industry Data Security Standard (PCI-DSS), for this very purpose. Of which the Dixons Carphone ePOS and payment systems presumably would have been in-scope for.
Could Dixon Carphone also be subject to a PCI-DSS investigation? We will have to wait and see…
[You may also like "UK's Top 4 Regulations Overlap"]