- An attacker had installed malware on 5,390 cash registers at Dixons Travel stores and DSG’s Currys PC World between July 2017 and April 2018.
- The breach had spanned for almost a year.
DSG, a unit of retailer Dixons Carphone has been slapped with a fine of $653,000 for failing to protect the personal data of 14 million individuals affected in a data breach in 2018. The breach had spanned for almost a year.
What do ICO findings suggest?
Britain’s Information Commissioner’s Office (ICO) said in a statement that its investigation had found that an attacker had installed malware on 5,390 cash registers at Dixons Travel stores and DSG’s Currys PC World between July 2017 and April 2018. This had enabled the attacker to steal personal data of nearly 14 million customers and gain unauthorized access to 5.6 million payment card details.
What does the compromised data involve?
The compromised information included names, postcodes, email addresses, and failed credit checks.
Where does the company fail?
DSG Limited has been found to have breached the 1998 Data Protection Act. It has failed to take adequate steps to protect personal data due to poor security arrangements.
Poor security arrangements include inadequate software patching, absence of firewalls, as well as lack of network segregation and routine security testing.
"Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen," said Steve Eckersley, director of investigations at the ICO.
The final word
The ICO has highlighted that personal data involved in the breach would significantly affect individuals’ privacy and leave customers open to identity theft and fraud.
Meanwhile, the company has claimed to upgrade its detection and response capabilities. Dixons Carphone appears to have significant investment in information security.