For ‘multiple inadequacies’ in data protection, technically and in organisation, the UK regulator the ICO has fined a retailer £500,000. It’s against parent company DSG for shortcomings at its Currys PC World and Dixons Travel stores. A ‘point of sale’ (POS) computer system was compromised as a result of a cyber-attack, affecting an estimated 14 million people.
At the time of the incident, according to the ICO, the POS system was not segregated from the wider company network. A consultant confirmed that there was no local firewall configured on the point of sale terminals. As of May 2017, those terminals were not in compliance with the company’s own patching policy; and after a review in August 2017, were not fully compliant until November 2017. A vulnerability remained exploitable for four years, the ICO found. The regulator pointed to ‘systematic patch management failing’, which led to the retailer processing personal data without appropriate security. The retailer confirmed to the regulator that it was not scanning regularly for vulnerabilities.
According to the ICO’s report there ‘remains some uncertainty’ about how the cyber-attacker compromised the terminals. Malware was installed on some 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine months before the attack was detected. The retail chain’s failure to secure the system allowed unauthorised access to 5.64 million payment card details and personal information including full names, postcodes, email addresses and failed credit checks from internal servers.
Hence DSG breached the Data Protection Act 1998, for what the regulator termed ‘systematic non-compliance’, and the ICO set the maximum fine under the Act; had the offence been under the new, 2018 Act, it could well have been far higher. The ICO received 158 complaints between June and November 2018 from DSG customers. As of March 2019, the company reported that nearly 3300 customers had contacted them directly in relation to this breach.
In January 2018, the ICO fined Carphone Warehouse, part of the same group, £400,000 for similar cyber vulnerabilities.
Steve Eckersley, the Information Commissioner’s Office Director of Investigations, said: “Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.
“Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud. We recognise that cyber-attacks are becoming more frequent, but organisations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data.”
As background, Dixons Carphone plc has some 1,500 stores and 42,000 staff; its brands include Currys PC World and Carphone Warehouse in the UK and Ireland. For the full ‘monetary penalty notice’ visit the ICO website.
Separately, and the first penalty issued by the ICO under the new General Data Protection Regulation (GDPR), a London-based pharmacy has been fined £275,000. Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left about 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions. Documents, some water damaged, were dated between June 2016 and June 2018. The Medicines and Healthcare Products Regulatory Agency alerted the ICO to the case.
Comments
Dixons Carphone Chief Executive, Alex Baldock, said: “We are very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result. We have upgraded our detection and response capabilities and, as the ICO acknowledges, we have made significant investment in our information security systems and processes. We are disappointed in some of the ICO’s key findings which we have previously challenged and continue to dispute. We’re studying their conclusions in detail and considering our grounds for appeal.”
Matt Aldridge, Principal Solutions Architect at the cyber security product company Webroot, said: “This latest fine highlights that GDPR [general data protection regulation, since May 2018] penalties are real and significant. Companies should take this as a wake-up call to address their data security and privacy compliance if they are not already ahead on this. From a reputation protection standpoint alone, being in the spotlight for data protection transgressions and data breaches is not good for business. On the enforcement side, it is likely that more clear guidance will be needed so that companies can easily ensure they are operating in a fully compliant state before they are breached, rather than attempting to demonstrate this after a breach has occurred.
“It is now more important than ever that compliance efforts made by organisations go hand in hand with verifiable security controls and robust processes. MSSPs and compliance specialists can play a key role in helping companies to achieve this, along with other cybersecurity service providers, but in turn those companies must ensure that they have done and recorded their due diligence when selecting such partners. Yet again in this case, we see that patch management and proper network segmentation have been neglected, along with regular, robust security testing. DSG may have dodged a bullet here because the fine is not covered by GDPR, due to this breach happening before GDPR came into effect. The fine could have been substantially higher under GDPR.”
And AJ Thompson, CCO at corporate IT consultancy Northdoor, said that the case highlights the ease at which cyber criminals can quickly get hold of hugely sensitive and valuable data. He said that 2019 saw a huge increase in awareness from the public about the value and vulnerability of their data. “This means that any breach now is more in the spotlight of the media and regulators than ever before.
“With this in mind, companies, even if they consider themselves to be adhering to regulations need to be on the constant look out for new threats that very likely go beyond what existing regulations protect. They should also be aware of their supply chain, and how secure their partners are. You are essentially only as secure as those who have access to your systems, without ensuring you have a secure supply chain you will always be at risk. 2020 is likely to see an increase in the scrutiny on any data breach. With the increase of awareness from public and media alike, a data breach now cannot just cause a serious financial loss, but a serious impact on a company’s reputation.
“We are urging clients to be proactive in their approach to cyber security. Whilst the threat will never go away, ensuring that you are not sitting on your hands whilst cyber criminals are constantly working out new, innovative ways to get access to data, is a real step in protecting your customer’s data and your reputation.”
