The ICO has certainly got the New Year off to a flying start! On Thursday of last week, it fined DSG Retail Limited £500,000 for data protection law breaches associated with a cyber-attack which affected DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018.
As the breaches occurred prior to 25th May 2018 (when the GDPR came into force), the fine was issued under the previous legislation, the Data Protection Act 1998 (‘DPA’). The fine amounted to the maximum penalty that could have been imposed under the DPA and the ICO has indicated that the fine would have been much higher had it been issued under the GDPR.
Once again, the fine related to technical and organisational security failures, which meant that personal data was put at risk. The ICO justified its imposition of the maximum fine possible on various grounds, including:
- The fact that the vulnerabilities in DSG’s security arrangements were wide-ranging and systemic;
- The fact that a number of the inadequacies related to basic, common-place measures required to ensure the security of any system (e.g. a lack of network segregation, failures to patch software and a lack of penetration and vulnerability testing);
- The fact that the breaches persisted over a relatively long period of time before being detected (and were only eventually detected by DSG due to an external tip-off);
- The amount of personal data involved and the number of individuals affected. The breaches allowed the attacker to access details from 5,646,417 customer payment cards and also exposed the non-financial personal data of approximately 14 million individuals;
- The nature of the risks resulting from the breaches – namely, financial theft and identity fraud.
Once again, the fine highlights how important it is for organisations to:
- carry out a thorough risk assessment of the security of their processing;
- implement appropriate technical and organisational security measures; and
- keep those measures under review to ensure that they remain effective and appropriate.
For more information, please contact a member of our Information Law team.
RELATED: INFORMATION LAWGDPR