UK: ICO fines DSG £500,000 for data breach
The Information Commissioner's Office ('ICO') announced, on 9 January 2020, that it had fined DSG Retail Limited £500,000 for a data breach. Following an investigation, the ICO found that an attacker had installed malware on 5,390 tills at DSG's Currys PC World and Dixons Travel stores between July 2017 and April 2018, which allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.
Furthermore, the ICO highlighted that DSG had breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data. In particular, the ICO noted that these vulnerabilities included inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.