(Reuters) - A British watchdog has fined DSG, a unit of retailer Dixons Carphone, half a million pounds for systemic failures in the management of personal data which left it open to a cyber attack affecting more than 14 million people.
Britain's Information Commissioner's Office (ICO) said in a statement here on Thursday that its investigation found that an attacker installed malware on 5,390 cash registers at Dixons Travel stores and DSG's Currys PC World between July 2017 and April 2018, collecting personal data.
The company’s failure to secure its systems allowed unauthorized access to 5.6 million payment card details used in transactions and the personal data of roughly 14 million people.
The information included full names, postcodes, email addresses and failed credit checks from internal servers.
In July 2018, the London-based company bumped up the estimate of records that may have been accessed to about 10 million from an earlier estimate of 1.2 million in the 2017 cyber attack.
Dixons Carphone Chief Executive Alex Baldock expressed his remorse over the incident, adding that the company has upgraded its detection and response capabilities ever since.
Separately, the company called some of the ICO’s key findings disappointing and said it was studying the conclusions in detail and considering its grounds for appeal.
The fine comes just a year after the ICO imposed a 400,000 pounds fine on Carphone Warehouse, another segment of Dixons Carphone, for similar security vulnerabilities.
The data incident, which had weighed on Dixon Carphone shares when it was revealed in 2018, was the second in three years for the company.
The ICO said DSG breached Data Protection rules by having poor security arrangements and failing to take adequate steps to protect personal data, which included vulnerabilities such as the absence of a local firewall.
Dixons Carphone, which traces its roots back to 1937, is listed on the UK midcap index and has a 26% market share in the electricals market with over 1,100 stores in the UK and Ireland as per its 2018 annual report.
“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen,” ICO’s Director of Investigations Steve Eckersley said.
Contraventions were so serious that the ICO imposed the maximum penalty, he said, adding the fine would have been much higher under new regulations.
(GRAPHIC: dc - here)
Reporting by Indranil Sarkar and Muvija M in Bengaluru, additional reporting by Safia Infant; editing by David Evans and Alexandra Hudson