Dixons Carphone was recently issued with a £500,000 fine after an investigation by the Information Commissioner’s Office (ICO) concluded that a series of “systematic failures” in how the retailer safeguarded personal data led to information about 14 million customers being stolen by cyber criminals.
This hacking campaign was active between July 2017 and April 2018 and resulted in malware being installed on 5,390 Point-of-Sale (POS) systems at Currys PC World and Dixons Travel Stores, owned by DSG Retail Ltd.
The ICO report on the investigation describes how the data breach occurred as a result of “failures related to basic, commonplace security measures”.
Data from a total of 5,529,349 EMV chip-and-pin cards was taken, including the primary account number and the expiry date. For 52,788 non-EMV cards, likely from shoppers outside of the UK, the account number and expiry date was taken, along with the cardholder name in respect of 8,629 cards.
On top of that, DSG calculated that in a worst-case scenario 10 million records such as names, addresses and phone numbers were also stolen from its servers, plus another 2.9 million records that were likely stolen, plus 73% of a database containing 4.7 million records. All in all, the hack probably saw data on 14 million people extracted by hackers who have not been caught.
While the breach only came to public light in June 2018, the dates the intruders were active on the network fell before the General Data Protection Legislation (GDPR) came into force across the European Union in May 2018. If the breach had occurred just a few months later, DSG could have been facing a significant fine – up to 4% of annual global turnover. Under the 1998 Data Protection Act, the maximum possible fine is £500,000.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR,” said Steve Eckersley, director of investigations at the ICO.
“It is particularly concerning that a number of the inadequacies related to basic, commonplace measures needed for any such system,” said the ICO report on the DSG breach.
Among other issues, the ICO found that DSG’s network segregation was insufficient, and that no local firewall was configured for the POS terminals. It said DSG’s approach to software patching of its domain name controllers was inadequate, and that vulnerability scanning of the compromised environment was not performed on a regular basis.
The ICO said DSG didn’t have an effective system for logging and monitoring in place that was used to identify and respond to incidents and did not effectively manage the security of its POS systems.
Other retailers and organisations processing personal data should make sure that they have covered all of these issues themselves.
“All organisations which process consumer data are going to be targets. Taking that into account, keep stress-testing systems; make sure that you’re keeping everything under review. Get security consultants to try and break into the system; just test it to make sure it’s resistant enough” says Laurie Heizler, head of intellectual property technology and media at Barlow Robbins.
“If I was a retailer, I’d be seriously looking at the security architecture you have in place. If I was sitting on the board in one of these organisations, I’d be asking my teams to explain to me how this couldn’t happen to us and why we wouldn’t be issued with a similar decision” says Emma Wright, commercial technology partner at Kemp Little LLP.
Dixons Carphone isn’t happy with the ICO’s decision to issue a fine and the company is considering an appeal.
“We have upgraded our detection and response capabilities and, as the ICO acknowledges, we have made significant investment in our Information Security systems and processes,” says Alex Baldock, CEO of Dixons Carphone.
“We are disappointed in some of the ICO’s key findings which we have previously challenged and continue to dispute. We’re studying their conclusions in detail and considering our grounds for appeal.”
MORE ON CYBERSECURITY