The UK’s data watchdog has fined Dixons Carphone half a million pounds over a computer hack which compromised the personal information of at least 14 million people.
The Information Commissioner’s Office (ICO) found that hackers were able to access the names, postcodes, email addresses and failed credit checks of millions.
The data also included the details of 5.6 million payment cards used between July 2017 and April 2018.
Dixons Carphone subsidiary DSG Retail Limited did not keep its software up to date or install a local firewall, the ICO said.
This allowed hackers to put malware on 5,390 tills at Currys PC World and Dixons Travel, harvesting data for nine months.
“Our investigation found systemic failures in the way DSG Retail Limited (a Dixons Carphone subsidiary) safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen,” said Steve Eckersley, the ICO’s director of investigations.
The company narrowly escaped a much bigger fine under new GDPR rules which only came into effect after the breach started. Sanctions can now be up to 20 million euro (£17 million) for a significant breach.
“Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” Mr Eckersley said.
Dixons Carphone chief executive Alex Baldock said: “We are very sorry for any inconvenience this historic incident caused to our customers… We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”
It is not the first time a company in the group had been fined over cybersecurity failures. In January 2018, Carphone Warehouse was charged £400,000 by the ICO.
The ICO said that while cyber attacks are becoming more frequent it is up to companies to take their security seriously and protect people’s data.