Following a cyber attack that came to light in 2018, the Information Commissioner's Office has issued a fine of £500,000 to Dixons Retail Group. While the attack may have been a malicious act by a third party, the ICO's monetary penalty notice provides some helpful reminders about the steps that organisations should take to guard against cyber attacks.

What happened?

The ICO found that DSG had failed to comply with the seventh data protection principle - the obligation to keep personal data secure. As with the Carphone Warehouse cyber attack in 2015, the ICO found that DSG had not taken appropriate steps to protect personal data from malicious attacks.

Haven't we been here before with Carphone Warehouse?

In its decision notice, the ICO says that the previous incident involving DSG's Carphone Warehouse subsidiary is an aggravating factor.

In other words, the fact that the ICO had previously taken enforcement action against a DSG company for a similar incident was a reason for imposing a fine at the higher end of the scale. In this case, the fine was the maximum possible fine under the Data Protection Act 1998, which was the legislation in force at the time of the breach. However, the ICO's notice makes clear that had GDPR applied then a higher penalty would have been imposed.

Readers may recall that in July 2019 the ICO issued notices of intention to British Airways owner IAG and Marriott in relation to cyber attacks on those organisations. In both those cases, the action relates to alleged failings in relation to the steps that could have been taken to guard against cyber attacks or to check systems for vulnerabilities. The figures involved are huge - £183m in the case of British Airways/IAG and £99m in the case of Marriott.

However, more than six months on we are still awaiting a final notice and earlier this month the ICO confirmed that the usual six month period for converting the notice of intention to fine has been extended in both cases to 31 March 2020.

What should organisations be doing?

The ICO's action is a reminder that organisations need to take appropriate steps to protect their systems (and personal data) from malicious attacks.

In this case, the ICO notes a catalogue of errors, including:

  • non-compliance with PCI-DSS, the security standards mandated by payment card schemes on organisations that handle payment card data;
  • a failure to follow Microsoft guidance on patching vulnerabilities, system configuration and the use of firewalls; and
  • a reliance on outdated software (including the use of software on POS terminals that was 8 years old).

Some of these issues were brought to DSG's attention following an assessment by an information security consultancy in May 2017, but were not acted upon.

In the circumstances, and given the previous incident involving Carphone Warehouse, a fine at the top end of the scale was inevitable.

If you would like to discuss the ICO's action against DSG, your organisation's approach to data security or your use of third party processors, please get in touch.


Martin Sloan