An unhappy new year for Currys PC World and Dixons Travel stores, as the ICO has issued owners DSG Retail Limited with a Monetary Penalty Notice of £500,000 for serious security failings involving Point of Sale (“POS”) terminals in stores. Although the incident was investigated and addressed under the pre-GDPR legislation, the fine represents the maximum available to the Commissioner, under the Data Protection Act 1998, who in her findings observed that “but for the statutory limitation on the amount, it would have been reasonable and proportionate to impose a higher penalty”. This decision is important for retailers, particularly on payment information. It is also helpful to understand the factors involved in the breach of security, and offers some insight as to the ICO’s assessment of “appropriate technical and organisational measures” which of course remain crucial requirements for the security of personal data under the GDPR.
In brief, DSG’s computer systems were compromised for a period of 9 months between 24 July 2017 and 25 April 2018, although this was undetected until 5 April 2018. Having been made aware of the potential breach, DSG instructed a specialist security response team to investigate and discovered that its systems had been hacked and the attacker had been able to gain control of multiple domain administrator accounts. Malware had been installed allowing the attacker to collect payment card information from POS terminals for any transactions during the relevant period, until DSG managed to contain the incident and apply remedial measures from June 2018 onwards.
DSG reported the incident to the ICO as a cyber-attack on 8 June 2018 and provided an update the following week, with additional information about the breach, confirming there was evidence of unauthorised access to personal data. In later submissions to the ICO, DSG confirmed that a total of 5,646,417 payment cards had been affected, from which Primary Account Number (“PAN”) and expiry date information were available to the hacker (for most of the transactions) and for a smaller proportion of the cards involved, the cardholder name was also available. As the PAN identifies the bank to which the card belongs, DSG initially argued that unless the cardholder’s name was also available, it did not constitute personal data, as it was anonymised. The ICO dismissed this argument, citing earlier guidance on the concept of personal data.
Unfortunately, in addition to the financial personal data, DSG found that the breach had compromised potentially huge volumes of non-financial personal data, including name, postal addresses, mobile and home phone numbers, email addresses, dates of birth and failed credit check details, and though it could not confirm the exact number, it believed approximately 14 million data subjects were affected.
Given the number of affected individuals and the fact that payment card data was involved, the ICO commenced its own investigation and ultimately found that there were multiple inadequacies of security and DSG had breached the 7th data protection principle (under the DPA 1998), in that:
- Network segregation was insufficient (POS systems were not segregated from the wider DSG corporate network);
- There was no local firewall configured on POS terminals (which could have prevented unauthorised access and movement of data) and DSG did not have measures to detect any unauthorised changes to wider firewalls on its system;
- Software patching of domain controllers and admin systems was inadequate (it was suspected that the attacker exploited a vulnerability in a Microsoft tool that should have been addressed, but had only been partially completed), leaving domain admin usernames and passwords exposed;
- Vulnerability scanning was not performed on a regular basis (DSG could have detected and resolved vulnerabilities earlier);
- There was inconsistency in enforcement of application whitelisting across POS terminals (something the ICO found could be used collectively with other measures to stop a hacker, even if they surpassed whitelist blocking mechanisms);
- There was no effective system of logging and monitoring to identify and respond to incidents (creating a security risk and impeding detection and investigation of any incident);
- Security of POS systems was not effectively managed (versions of some software used was years out of date);
- The POS system was outdated and did not support Point to Point (“P2Pe”) (which the Payment Card Industry Data Security Standard (“PCI-DSS”) endorses as a means of preventing access to payment card data at the point of signature or use of chip and pin);
- Domain administrator accounts were not effectively managed or risk assessed and DSG failed to adhere to its own policies on access and passwords; and
- DSG had failed to implement standard builds for all system components based on industry standard hardening guidance (which would have reduced vulnerability and risk of compromise).
The ICO therefore considered that the conditions for a fine under s.55A, DPA 1998 had been met, and the contravention was serious, in that:
- “The problems were wide-ranging and systemic”;
- “A number of the inadequacies related to basic, commonplace measures needed for such system”;
- “The inadequacies persisted over a relatively long period of time, given how a foundation level of security standard could have identified and remedied them”;
- “The amount of personal data contained on DSG’s systems and the number of affected individuals was significant, which increases the seriousness of DSG’s data security inadequacies”;
- “The Commissioner received a significant number of complaints in relation to DSG” (evidencing the distress of data subjects and worry of increased risk of fraud);
- “The attack to DSG’s systems had been ongoing for 9 months before it was detected. This gave the attacker ample opportunity to view and/or extract data prior to remedial measures being taken”;
- “The seriousness of the incident is heightened by the nature of the personal data involved”;
- “As a large nationwide retailer, the Commissioner considers the general public would expect that DSG would ‘lead by example’ and to be sufficiently protected so as to avoid such systemic non-compliance.”
Determining the level of fine
In considering the amount of the penalty, the Commissioner reviewed mitigation put forward by DSG and certain aggravating features.
DSG submitted that it had:
- Notified 25 million potentially affected data subjects by email and through advertising;
- Established a call centre to handle questions;
- Procured credit monitoring services;
- Worked with its acquiring back to mitigate exposure to fraud;
- Notified the ICO of the attack and fully cooperated with the investigation and other agencies;
- Made significant investment in data security processes and systems, including the implementation of P2Pe; and
- Suffered negative impact on its brand and reputation.
DSG also argued that press reports about the incident had helped spread awareness for controllers, of the vulnerabilities and this incentivised them to increase their security.
Despite these arguments, the ICO found that DSG had:
- No “justification or excuse for the extent of these systemic inadequacies”, given its size and profile;
- DSG did not “proactively detect the breach”; and
- Unfortunately for DSG, it had been the subject of an earlier monetary penalty in 2018 (Carphone Warehouse was previously fined £400,000 for similar vulnerabilities).
Even issuing a statement to customers to express disappointment and apologies for any upset caused, (something most organisations would consider in response to such an incident) was taken as evidence of DSG’s awareness that the incident was of a kind likely to cause substantial damage or distress.
Taking everything into account, the ICO decided that a fine of £500,000 was reasonable and proportionate. This could be reduced to £400,000, if DSG pays the sum before 6 February 2020 (provided it does not issue an appeal).
The fine is significant (if not huge in the context of the GDPR), but DSG may also face claims for compensation from affected individuals, which is likely to deepen the impact of this incident.
For controllers and processors, this decision is worth noting, for the level of detail on the technical and organisational security measures expected by the ICO and recognition of industry security standards such as PCI-DSS. The GDPR lists certain measures, but without much explanation of what is sufficient for each organisation, and it really depends on the context of data processing, the risks involved, the state of the art and costs of implementing the measures. Understanding the ICO’s approach to these incidents, and therefore preparing in advance, by implementing appropriate security measures (and importantly, keeping them up to date and under review), is vital to protecting personal data and the business.