#Privacy: ICO issues maximum pre-GDPR fine on major UK retailer

Last month the Information Commissioner’s Office (ICO), the UK data protection regulator, imposed a monetary penalty notice of £500,000 on electronics retailer DSG Retail Limited (DSG), a company better known by its trading brands, such as Currys PC World and Dixons Travel. DSG is a subsidiary of Dixons Carphone plc.

The personal data breach occurred during a compromise of DSG’s systems in the time period between 24 July 2017 to 25 April 2018. As this was prior to the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, the maximum penalty available to the ICO under the former Data Protection Act 1998 (DPA 1998) was a fine of £500,000.

The ICO’s decision to impose the maximum penalty is another clear example of the fact that the ICO is determined to use its fining powers when it considers it appropriate and to impose high fines for what it considers to be serious failures.

This strategy is also evidenced by the ICO’s notices of intent of July 2019 to fine British Airways £183,390,000 and Marriott International £99,200,000 for personal data breaches that, according to the ICO, resulted at least partly from failures to comply with the data security requirements of the GDPR (although, obviously, we need to wait for the ICO’s final Monetary Penalty Notices in these cases to confirm the amounts of the fines that the ICO will impose in the end).

It should be noted that, according to a statement to the London Stock Exchange on 9 January 2020 (the same date as the ICO monetary penalty notice), DSG’s CEO stated that DSG is disappointed in some of the ICO’s key findings which it has previously challenged and continues to dispute, and is considering its grounds for appeal. On 6 February 2020 it was reported that DSG is appealing the fine.

A Point of Sale compromise

As explained in the ICO’s monetary penalty notice, DSG was alerted to an issue with its computer systems by external intelligence received on 5 April 2018. DSG commissioned a specialist security team to respond, which confirmed that a malicious third party had compromised the systems and had taken control of multiple domain administrator accounts.

This enabled the attacker to install malware on 5,390 Point of Sale (POS) terminals in Currys PC World and Dixons Travel Stores, thus allowing them to harvest a variety of details from a total of 5,646,417 payment cards.

In addition, the attacker exfiltrated data from DSG’s internal servers, including records relating to approximately 14 million data subjects, containing non-financial information (e.g. name, postal addresses, mobile and home phone numbers, email addresses, dates of birth and failed credit checks).

The cyber incident was fully contained in June 2018, once remedial measures were implemented.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/