Currys PC World Fined by the ICO

Earlier this month the UK regulator of Data Protection, the Information Commissioner’s Office announced that it was to fine DSG Limited (DSG) £500,000. DSG owns high street brands such as Currys PC World.

According to the ICO, a ‘point of sale’ computer system was ‘compromised’ between 24 July 2017 and 25 April 2018. The ICO investigation found that an attacker installed malware on 5,390 tills at Currys PC World and Dixons Travel Stores.

The incident occurred prior to the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) coming into force on 25 May 2018, which means that the fine was issued under the old Data Protection Act 1998 (DPA98).  The £500,000 monetary penalty is the maximum amount under the DPA98 and the fine probably would have been much higher under the GDPR.

In reaching its decision, the ICO considered the seventh Data Protection Principle (DPP7) which says that said that:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

DPA98 explained:

“the measures must ensure a level of security appropriate to:

(a)  the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

(b)  the nature of the data to be protected.

The ICO has reported on its website that as of March 2019, nearly 3,300 customers had contacted DSG about the data breach.

The ICO has said that if the penalty is paid by 7 February 2020 it will be reduced to £400,000.

It’s not the first time that DSG has been subject to a fine by the ICO, back in January 2018 the ICO fined Carphone Warehouse which is part of the same group £400,000.