The parent company of Currys PC World has been fined £500,000 after the tills in its shops were compromised by a cyber-attack that affected at least 14 million customers.
Between July 2017 and April 2018, hackers were able to install malware onto 5,390 computer systems and tills located at Currys PC World and Dixon Travel outlets, both owned by DSG Retail Limited.
The software remained undetected over the nine month period, allowing hackers to collect a huge amount of data, including payment card details of 5.6 million people as well as personal information, exposing customers to identity and financial theft and fraud.
Following an investigation into the attack, the Information Commissioner’s Office (ICO) found systemic failures in the retailer’s management and protection of customer data.
The ICO held that the company had failed to maintain adequate security measures to protect its data, resulting in the maximum level of fine being imposed.
As the incident pre-dated the introduction the General Data Protection Regulation (GDPR) in May 2018, it was dealt with under the Data Protection Act 1998, which provided for a maximum fine of £500,000.
Had the GDPR applied, the level of financial penalty could have reached up to 4% of annual turnover, or £17 million.
Last year, the ICO also fined another DSG company, Carphone Warehouse, £400,000 for similar security vulnerabilities.