What factors did the ICO take into account when issuing the maximum £500,000 penalty (under the old Data Protection Act) against DSG for a data security breach relating to its Point of Sale (POS) payment terminals?

The key takeaway

The ICO confirmed what many already know about acceptable security standards, namely that the key elements include: the type and volume of the data concerned; the nature, size and resources of the business; the prior knowledge of and timely response to known vulnerabilities; and compliance with industry standards.

The background

In May 2017 DSG, better known as Curry’s PC World and Dixons Travel, commissioned IT consultants to assess its POS payment terminals across its stores to determine compliance with PCI DSS standards (operational security standards for organisations handling payment cards). Although the result of the assessment was that the system was not PCI DSS compliant due to various vulnerabilities, DSG was slow off the mark to remedy the issues and ensure that its systems were of the necessary security standards.

By April 2018 (notably just before GDPR took effect in May 2018), DSG became aware that its in-store POS payment terminals had been compromised. It was found that, for a period of nine months (July 2017 to April 2018), a cyber-attacker had taken control of numerous domain administrator accounts to install malware onto DSG’s POS systems which accessed the payment card details of 5.6 million customers (although it was found that only 85 cards had been subjected to potentially fraudulent use) and gathered the non-financial personal data of approximately 14 million customers (including full names, postcodes, telephone numbers, email addresses and failed credit checks) from DSG’s servers.

DSG received almost 3,300 customer complaints in respect of the breach, whilst the ICO recorded 158 complaints.

The decision

According to the ICO, DSG’s data security processes fell below the basic minimum standards expected by the ICO as a result of various wide-ranging systemic failures, including:

  • insufficient network segregation to contain the attack
  • lack of local firewalls on the POS terminals to avert an attack
  • systemically inadequate software patching
  • irregular performance of vulnerability scanning
  • inadequate incident response systems
  • outdated and mismanaged software, including systems which do not support Point-to-Point encryption
  • mismanagement of application white-listing across POS terminals
  • mismanagement of the security of its domain administrator accounts
  • failure to adhere to industry standard hardening guidance.

The ICO saw each of the inadequacies above as significant enough in their own right to be a contravention of the requirement to have appropriate data security. However, on a cumulative basis, the ICO considered the breach to have been a serious multifaceted contravention of the seventh data security principle in the Data Protection Act 1998 (DPA 1998) (its equivalent in the GDPR is Article 32), namely the requirement to keep data secure.

The ICO issued the maximum penalty under the DPA 1998; a £500,000 fine. In deciding to impose the maximum monetary penalty against DSG, the ICO pointed to several aggravating factors, including:

  • the nine month delay in identifying the security breach
  • the fact that DSG was aware of certain vulnerabilities due to the earlier PCI DSS assessment but did not adequately expedite its reaction to the issues identified (ie by ensuring that PCI DSS industry standard procedures and technologies were subsequently implemented and maintained (regardless of the cost))
  • that as a large high-profile retailer controlling vast sums of financial and non-financial personal data, DSG would be expected by the public to lead by example in respect of data security
  • the nature of the breach and the substantial distress caused to the individuals affected (supported by the fact that DSG had issued a press release recognising the ‘upset’ caused)
  • that the ICO had previously fined Carphone Warehouse, a company belonging to the same group as DSG, £400,000 at the beginning of 2018 for similar security failings.

The ICO did consider some mitigating factors in DSG’s favour such as the fact that DSG had taken steps to notify potentially affected customers, cooperated fully with the ICO investigation and invested significantly in its data security to avoid future breaches. Nonetheless, the ICO considered the maximum penalty to be appropriate in the circumstances. DSG is reportedly appealing the fine.

Why is this important?

A decision by the ICO to impose the maximum penalty under the DPA 1998, and its comment that “the fine would inevitably have been much higher under the GDPR” serves as a further reminder just how seriously the ICO takes data security breaches. As such, this decision is helpful in determining which factors the ICO will take into account when determining whether a business’ security standards will fall below those expected by the ICO, including the nature, size and resources of that business, the type and volume of data, prior knowledge of and timely response to any known vulnerabilities and compliance with industry standards.

Additionally, given the number of complaints already received, it is still possible that DGS may be subject to potential civil action brought by those customers affected by the breach. If such a claim is forthcoming, this would provide welcome insight into how the civil courts intend to deal with such damages claims post the recent Lloyd v Google ruling.

Any practical tips?

Businesses should ensure that they proactively maintain proper security systems and processes, in accordance with both the ICO’s expectations and also industry standards and guidelines. If testing of systems is carried out (such as happened with DSG’s POS payment systems), then senior management should be warned on the way into those tests that they may need to spend time and money (quickly) fixing any deficiencies which are unearthed, particularly if they relate to data security.