Home / Insights / ICO Issues Half A Million Fine For National Retailer

ICO Issues Half A Million Fine For National Retailer

14 Jan 20202 minute read

The ICO has certainly got the New Year off to a flying start! On Thursday of last week, it fined DSG Retail Limited £500,000 for data protection law breaches associated with a cyber-attack which affected DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018.

As the breaches occurred prior to 25th May 2018 (when the GDPR came into force), the fine was issued under the previous legislation, the Data Protection Act 1998 (‘DPA’). The fine amounted to the maximum penalty that could have been imposed under the DPA and the ICO has indicated that the fine would have been much higher had it been issued under the GDPR.

Once again, the fine related to technical and organisational security failures, which meant that personal data was put at risk. The ICO justified its imposition of the maximum fine possible on various grounds, including:

- The fact that the vulnerabilities in DSG’s security arrangements were wide-ranging and systemic;
- The fact that a number of the inadequacies related to basic, common-place measures required to ensure the security of any system (e.g. a lack of network segregation, failures to patch software and a lack of penetration and vulnerability testing);
- The fact that the breaches persisted over a relatively long period of time before being detected (and were only eventually detected by DSG due to an external tip-off);
- The amount of personal data involved and the number of individuals affected. The breaches allowed the attacker to access details from 5,646,417 customer payment cards and also exposed the non-financial personal data of approximately 14 million individuals;
- The nature of the risks resulting from the breaches – namely, financial theft and identity fraud.

Once again, the fine highlights how important it is for organisations to:

- - carry out a thorough risk assessment of the security of their processing;
  - implement appropriate technical and organisational security measures; and
  - keep those measures under review to ensure that they remain effective and appropriate.

For more information, please contact a member of the team below.

Like to talk about this Insight?

Charity Law & Governance, Data Protection, Employment & HR, Employment Contracts & Rights, English Public Sector,…

Cardiff

+44 29 2039 1758

Email

Get Insights in your inbox

ICO Issues Half A Million Fine For National Retailer

Like to talk about this Insight?

Lowri
Phillips

Legal Update: How long can you keep personal data under UK GDPR?

Legal Update: Artificial Intelligence: An Overview for Employers

Legal Update: Views are my own and not that of my employer

Legal Update: ICO updated guidance on electronic marketing, consent and the “soft…

Legal Update: UK Data Protection reforms: a brief look at the government’s…

Get insights in your inbox

ICO Issues Half A Million Fine For National Retailer

Related Expertise

Share this page

Like to talk about this Insight?

LowriPhillips

Related Insights

Legal Update: How long can you keep personal data under UK GDPR?

Legal Update: Artificial Intelligence: An Overview for Employers

Legal Update: Views are my own and not that of my employer

Legal Update: ICO updated guidance on electronic marketing, consent and the “soft…

Legal Update: UK Data Protection reforms: a brief look at the government’s…

Get insights in your inbox

Lowri
Phillips