Companies
that fail to protect themselves online no longer need to fear only the bad guys
lurking in the hidden corners of the internet. Increasingly, they need to worry
about the good guys as well.
The UK is one
country leading this push to force companies to protect themselves and their
customers, dishing out fines left and right to entities that mishandle user
data or put customers at risk of ID theft and fraud. In the latest example, the
UK Information Commissioner’s Office (ICO) has fined retailer DSG Retail
Limited (DSG) £500,000 for a cyber-attack affecting at least 14 million
customers.
As per the ICO’s announcement on Thursday, an attacker allegedly installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018. The attacker collected personal data for nine months before the attack was detected.
“The
company’s failure to secure the system allowed unauthorised access to 5.6
million payment card details used in transactions and the personal information
of approximately 14 million people, including full names, postcodes, email
addresses and failed credit checks from internal servers,” the ICO said in its
press release.
The hack was
possible because DSG had failed to patch known bugs, had no firewall, lacked
network segregation and had not conducted routine security checkups. These poor
cybersecurity practices meant DSG breached the Data Protection Act 1998, under
which the ICO can deal the maximum penalty of 500,000 pounds – which it did.
The ICO pointed
out that Carphone Warehouse, also owned by DSG, was fined in January 2018 £400,000
for similar offenses.
“Our
investigation found systemic failures in the way DSG Retail Limited safeguarded
personal data,” said Steve Eckersley, ICO’s Director of Investigations. “It is
very concerning that these failures related to basic, commonplace security
measures, showing a complete disregard for the customers whose personal
information was stolen. The contraventions in this case were so serious that we
imposed the maximum penalty under the previous legislation, but the fine would
inevitably have been much higher under the GDPR.”
The ICO
cannot fine DSG under the newer regulation because the breach occurred before
the GDPR took effect in May 2018.
The ICO says
the breach significantly affects individuals’ privacy, leaving affected
customers vulnerable to financial theft and identity fraud. The watchdog claims
to have received 158 complaints between June 2018 and November 2018 from DSG
customers. DSG itself admitted that around 3,300 customers had contacted them
directly in relation to this data breach.
“Such
careless loss of data is likely to have caused distress to many people since
the data breach left them exposed to increased risk of fraud,” Eckersley added.
“We recognise that cyber-attacks are becoming more frequent, but organisations
have responsibilities under the law to take serious security steps to protect
systems, and most importantly, people’s personal data.”
The ICO directs affected parties to the Monetary Penalty Notice for details of its investigation into the breach.