Information lawyer welcomes Dixons Carphone £500,000 fine following massive data breach

Leading information law solicitors Leigh Day welcome yesterday’s announcement that the Information Commissioner’s Office (ICO) has fined Dixons Carphone £500,000 after finding systemic failures in its cybersecurity allowed a hack affecting millions of customers.

Dixons Carphone is a multinational electrical and telecommunications retailer and services company, formed in 2014 following the merger of Dixons and Carphone Warehouse, whose operations include Currys PC World and Dixons Travel stores.

In their report, the ICO found that hackers installed malware on 5,390 tills at Currys PC World and Dixons Travel stores for a nine month period between July 2017 and April 2018 before the attack was detected.

The ICO confirmed that this allowed criminals to hack the personal information of approximately 14 million people including their full names, postcodes, email addresses as well as details of failed credit checks from internal servers.  In addition, the hack resulted in criminals having unauthorised access to 5.6 million payment card details used in transactions.

The ICO investigation found that Dixons Carphone breached the Data Protection Act 1998, the legislation in place at the time of the data breach, by having poor security arrangements and failing to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.  The ICO commented that there was a failure to have even basic, commonplace security measures showed a complete disregard for customers whose personal information was stolen.

The ICO report confirmed that it considered that the data breach was of a type likely to cause substantial damage or distress and that the information stolen was likely to be useful to criminals in terms of identity theft and fraud.  The ICO also referred to evidence from Banks that some of the cards had potentially been compromised and subject to fraudulent use in a UK supermarket.  As a result, the ICO fined Dixons Carphone a fine of £500,000, the maximum allowed under the Data Protection Act 1998.

Sean Humber, an Information specialist at Leigh Day solicitors commented:

“This was a particularly serious data breach given the large numbers affected and the sensitive nature of financial information taken.  The fact that Dixons Carphone were fined the maximum amount possible under the law in place at the time only confirms its seriousness.

“Completely separate from this fine, those affected by this data breach are likely to have claims for compensation for the loss of control over their personal information, any distress and inconvenience caused as well as any financial losses that they may have suffered.   We have already been approached by affected customers and it seems almost inevitable that Dixons Carphone will end up facing a large number of claims.”

If you are a Dixons Carphone customer who has been affected by the data breach and wish more to receive more information about bringing a claim for compensation then please complete our form.