UK Fines Dixons Carphone for Massive Breach

Dixons Carphone is one of the largest electronics and phone retailers in the UK. Recently British regulators have fined the company £500,000 ($653,000) because of the data breach that exposed millions of the customers’ records.

According to the Information Commissioner’s office, Dixons has violated the U.K’s data protection act 1988. The company had poor security arrangements and failed to take proper steps to protect personal data. In its report, ICO claimed regarding inappropriate measures that

“This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing”

Dixons Carphone is also known as DSG retail and has stores in eight countries; this is the second time in two years that DSG has been fined. Firstly, it was fined £400,000 ($523,000) in January 2018 for the 2015 breach of its carphone warehouse subsidiary. In the breach, the attacker exploited an outdated WordPress installation.

Dixons’ breach began in July 2017 and persisted until April 2018, which means before the enforcement of GDPR in May 2018. Hence it avoided the larger fine that would have imposed under EU’s strict GDPR privacy law. The organizations can face fines up to 4 percent of the annual global revenue. But in Dixon’s case, the regulators applied the previous protection law which allowed a maximum fine of £500,000. 

As per ICO’s investigation, in the breach, the attackers installed malware in 5,390 e-cash registers accross the company’s stores. The malware exploited the personal information of 14 Million individuals nd collected details of 5.6 million payment cards. The exposed information included full names, emails, postcodes and failed credit checks from internal services.