The fine issued by the Information Commissioner to DSG Retail (trading as Dixons Travel Stores/ Currys/ PC World) makes sobering reading on several levels. A data breach caused by malware on the retailer's points of sale terminals seems in many ways like the sophisticated attack of cyber criminals that is simply unavoidable.
However the decision is worth a read:
1. It lists out some of the DSG basic yet significant security deficiencies in some detail - any organisation that still has these deficiencies should ask their IT and security teams the reasoning behind this.
2. DSG had a report generated by consultants a year before it spotted the breach. The report highlighted security inadequacies - DSG failed to act on the report. Sections of the report are quoted in the ICO decision.
In house lawyers should always consider the purpose of engaging external consultants and whether the contents of any report should be privileged.
3. There are a list of mitigating and aggravating factors in relation to DSG's handling of the breach.
4. Regardless of whether poor security practices lead to an extraction of personal data, the ICO has reiterated that this can still amount to a breach of the GDPR security principle.
As this breach occurred pre-GDPR, then the ICO could only impose a fine of up to £500,000. It has imposed this maximum amount (which will be reduced by 20% for early payment, the discount being lost if DSG chooses to appeal). What is clear is when the next breach occurs and there are similarly poor security practices in the data controllers IT systems, the level of fine imposed will be headline grabbing.
There were a number of distinct and fundamental inadequacies in the ... security systems