Last month the Information Commissioner's Office (ICO), the UK data protection regulator, imposed a monetary penalty notice of £500,000 on electronics retailer DSG Retail Limited (DSG), a company better known by its trading brands, such as Currys PC World and Dixons Travel. DSG is a subsidiary of Dixons Carphone plc.
The personal data breach occurred during a compromise of DSG's systems in the time period between 24 July 2017 to 25 April 2018. As this was prior to the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, the maximum penalty available to the ICO under the former Data Protection Act 1998 (DPA 1998) was a fine of £500,000.
The ICO's decision to impose the maximum penalty is another clear example of the fact that the ICO is determined to use its fining powers when it considers it appropriate and to impose high fines for what it considers to be serious failures. This strategy is also evidenced by the ICO's notices of intent of July 2019 to fine British Airways £183,390,000 and Marriott International £99,200,000 for personal data breaches that, according to the ICO, resulted at least partly from failures to comply with the data security requirements of the GDPR (although, obviously, we need to wait for the ICO's final Monetary Penalty Notices in these cases to confirm the amounts of the fines that the ICO will impose in the end).
It should be noted that, according to a statement to the London Stock Exchange on 9 January 2020 (the same date as the ICO monetary penalty notice), DSG's CEO stated that DSG is disappointed in some of the ICO's key findings which it has previously challenged and continues to dispute, and is considering its grounds for appeal. On 6 February 2020 it was reported that DSG is appealing the fine.
As explained in the ICO's monetary penalty notice, DSG was alerted to an issue with its computer systems by external intelligence received on 5 April 2018. DSG commissioned a specialist security team to respond, which confirmed that a malicious third party had compromised the systems and had taken control of multiple domain administrator accounts.
This enabled the attacker to install malware on 5,390 Point of Sale (POS) terminals in Currys PC World and Dixons Travel Stores, thus allowing them to harvest a variety of details from a total of 5,646,417 payment cards.
In addition, the attacker exfiltrated data from DSG's internal servers, including records relating to approximately 14 million data subjects, containing non-financial information (e.g. name, postal addresses, mobile and home phone numbers, email addresses, dates of birth and failed credit checks).
The cyber incident was fully contained in June 2018, once remedial measures were implemented.
DSG, as a retailer processing credit card information, was required to comply with the Payment Card Industry Data Security Standard (PCI DSS).
For those not familiar with PCI DSS, it is an information security standard for organisations that handle payment cards from the major payment card schemes. It is imposed on merchants and banks by the card brands and administered by the Payment Card Industry Security Standards Council. In a nutshell, PCI DSS sets out operational security measures required in the payment card environment, requires regular validation of compliance through prescribed means, and sets out sanctions, including fines, for compliance failures. Approached from a personal data/GDPR point of view, PCI DSS is, in effect, a parallel data security regime for payment card data. At the same time, it is the information security standard that fleshes out the meaning of "appropriate technical and organisational measures" when it comes to the security of payment card data, as evidenced by the ICO's decision in DSG and previously stated in the ICO guidance.
According to the ICO notice of intent, between 9 and 11 May 2017 an information security consultancy instructed by DSG carried out an assessment of the POS terminals in Dixons and Carphone stores. They found multiple critical vulnerabilities, demonstrating that DSG were not compliant with PCI DSS. However, despite the serious issues uncovered by the assessment, DSG did not expedite the process of bringing its security up to the required standards – and the ICO considered this to be a relevant factor in reaching its decision on whether to impose the monetary penalty notice on DSG. This is a useful reminder that it is very difficult to defend failures to act on known issues (e.g. identified through an audit or in the context of a previous incident or breach) and this will be an aggravating factor in the context of regulatory investigations, litigation or when claiming under insurance policies, as well as from a PR point of view.
The decision is a reminder to organisations that, firstly, the ICO can (and does in our experience) ask for all and any relevant reports – so even advice received from IT security advisers prior to the data breach can end up informing the ICO's decision. This does not extend to advice that is protected (for instance, legally privileged advice), although in practice organisations may decide to disclose it. Secondly, that it is wise to act on advice, especially when it is pointing to deficiencies in security infrastructure. If you choose not to, and a related breach occurs, the inaction despite corporate knowledge is an aggravating factor.
As mentioned above, the monetary penalty notice stated that the ICO took PCI DSS into account in determining whether appropriate security was in place. Although the decision was made under the DPA 1998, the GDPR sets out the same requirement, for both controllers and processors, to apply appropriate technical and organisational measures to keep personal data secure. Therefore, compliance with PCI DSS continues to be the information security standard for retailers and other merchants to attain in relation to any payment card data they process. This aspect of the decision is a clear reminder of the importance of information security standards, such as PCI DSS and the ISO 27000 series, in fleshing out the high-level security requirements of the GDPR (and other legislation that sets out data or system security requirements, such as the EU e-Privacy Directive/UK e-Privacy Regulations and the EU NIS Directive/UK NIS Regulations). In our opinion, regulators (and courts) will also look increasingly at the guidance of expert organisations and centres of excellence, such as the UK National Cybersecurity Centre (NCSC) to flesh out the meaning of "appropriate" in particular contexts, e.g. in relation to good password management, phishing emails or software patching.
Data security: what "Good" looks like
As in previous decisions, the ICO includes detail of the failures that it identified in relation to data security in the DSG systems. The issues identified provide clarity regarding the basic minimum standards that the ICO will expect in similar contexts.
- insufficient network segregation (which otherwise could have contained the incident and stopped it from spreading from one section of the network to another);
- lack of local firewall configured on the POS terminals (which could have prevented unauthorised access to the POS system and/or exfiltration of data, or at least could have meant the attacker left a larger footprint and so was more easily detected);
- software patching was systemically inadequate and not even compliant with DSG's own policy on the POS terminals (an issue which had been flagged specifically in the PCI DSS assessment, above);
- vulnerability scanning was not performed on a regular basis;
- failure to manage application whitelisting correctly across the POS terminals;
- lack of an effective system of logging and monitoring to identify and respond to incidents;
- outdated software deployed on the POS systems and not effectively managed;
- outdated POS systems did not support Point to Point Encryption (P2Pe), which would have prevented access to the plain text card data;
- failure to manage the security of its domain administrator accounts, including failures to adhere to its own policies and controls; and
- failure to implement standard builds for all system components based on industry standard hardening guidance.
The ICO's decision
All in all, the ICO saw each of the inadequacies above as a contravention of the requirement to have appropriate security (as per DPP7 in the DPA 1998, which has its equivalent in Article 32 of the new GDPR). Taken on a cumulative basis, the ICO considered this to have been a multifaceted contravention of DPP7.
The ICO noted that the problems with DSG's data security were wide-ranging and systemic, not single isolated gaps in an otherwise robust security architecture. To make matters worse, the inadequacies related to basic, commonplace measures which the ICO considered were needed for any system – let alone the systems of a major UK retailer that was handling a large amount of payment card data, as well as non-financial data of vast numbers of customers. Organisations which suffer a personal data breach want to be able to argue that the breach happened despite their overall good security (even when isolated issues that require improvements exist). Furthermore, getting the basics of systems and data security right can take organisations a long way towards mitigating their cybersecurity risk (see, for example, the UK NCSC's 10 steps to cybersecurity).
DSG attempted (unsuccessfully, in the ICO's opinion) to argue that the ICO was imposing unjustifiably high standards of data security. Rejecting this argument, the ICO went so far as to state in its decision that, given DSG's profile as a business, it would have expected DSG to "lead by example". Leaving aside the question of whether, in this particular case, in a legal sense, this statement in itself goes beyond the requirements of the GDPR, it is a useful reminder that the size and resources of a business are factors that the ICO will take into account when deciding what enforcement action to take. The ICO will take a pragmatic approach when considering data security failures by smaller organisations (consistent with the fact that the GDPR states that the assessment of what is "appropriate" security should take into account the cost of implementation). It is also a word of warning for any major business with a public profile that the ICO has higher expectations of them. Finally, it accentuates the fact that, beyond robust UK and EU legal requirements for cybersecurity (under the GDPR, e-Privacy and NIS regimes), organisations are also facing high stakeholder expectations.
In its favour, DSG had taken measures to notify 25 million potentially affected persons (although the ICO observed that it was unclear how effectively the offer of credit monitoring was communicated to affected data subjects and, therefore, gave DSG only limited credit for this), had fully cooperated with the ICO investigation and had made significant investments in data security since the attack.
The ICO even weighed, as a mitigating factor, that the fact that the matter had been reported heavily in the press had had the effect of incentivising other data controllers to improve their data security.
The decision is a useful "bellwether" example of the data security standards that the ICO expects of businesses that handle payment card data and have a high public profile. Major consumer-facing businesses should take note. The decision also reinforces the fundamentals of cybersecurity compliance and risk mitigation for all organisations (whether controllers or processors).
Good operational systems and data security in the form of appropriate technical and organisational security measures are the baseline. If an organisation suffers a security breach, it wants to be able to say that the breach happened despite its overall good security, rather than its poor security. Security defences form the baseline of risk mitigation and extend beyond technical controls to organisational measures (policies, processes and contract terms) and people, in particular. The ICO's decision in DSG reminds us that:
- getting the basics right and ensuring that the essential elements of cybersecurity are in place can take organisations a long way in terms of risk mitigation;
- information security standards, such as PCI DSS (when applicable) and ISO 27000, flesh out the requirements of the GDPR. It is difficult to demonstrate that security is "appropriate" if an organisation does not meet the measures required by relevant information security standards. Other expert technical guidance is also relevant in this regard; and
- it is extremely difficult to defend failures to promptly rectify known issues or practices that are in breach of the organisation's own policies, both of which are aggravating factors in the eyes of the ICO and more broadly.
Appropriate incident and breach response is essential and, in DSG's case, this was taken into account by the ICO as a mitigating factor. Incident preparedness is key in this regard and comprises the following:
- an appropriate incident and breach response plan;
- the right people in the internal incident response team and external incident response partners;
- training, including tabletops/war gaming; and
Appropriate insurance cover will help transfer some cybersecurity risk and recover losses, and forms the third element of efficient cybersecurity risk management. However, it is essential to know the risks that are covered under insurance policies, including any specific cyber product, and those that are not.
As mentioned above, on 6 February 2020 it was reported that DSG is appealing the fine.