Dixons Carphone is facing a £500,000 fine from the ICO (Information Commissioner’s Office), following a cyber attack that affected millions of customers.
An investigation by the UK’s data protection watchdog found cyber criminals had compromised the retailer’s payment systems and siphoned off the credit and debit card information of 14 million customers.
The malware remained on Dixons Carphone’s systems from July 2017 until April 2018, before finally being removed.
The £500,000 fine is the maximum possible fine under the DPA (Data Protection Act) 1998, which applied to this incident because the data breach occurred before the GDPR (General Data Protection Regulation) took effect.
There had been speculation that Dixons Carphone wouldn’t get so lucky. Had the breach spilled over beyond 25 May 2018, it could have been subject to the GDPR’s requirements and facing a fine of up to 4% of its annual global turnover, which would have been tens of millions of pounds.
But that’s pretty much the only silver lining for Dixons Carphone, which has suffered sustained financial and reputational damage since disclosing the data breach.
Why has the fine taken so long to materialise?
It’s become clear since the GDPR came into effect that the ICO doesn’t issue fines lightly. The first fines issued under the Regulation – against Marriott International and British Airways – came eight and ten months after the incidents were disclosed.
It usually takes six to nine months for the ICO to investigate an incident, interview employees and review documents provided by the breached organisation before announcing any disciplinary action.
It’s taken even longer for Dixons Carphone to learn its fate – almost 18 months. That’s an aberration of sorts, owing to the chaos that came with the introduction of the GDPR at the same time, but it’s not excessive.
In fact, there are no doubt many other breaches that occurred around that time that will only be reaching the final stages of the ICO’s review process now.
That means we’re likely to see a steady stream of fines being handed out as the supervisory authority makes its way through the backlog of work that coincided with the introduction of the GDPR.
The lesson here is not to assume that organisations have escaped punishment just because there have been no updates on an investigation.
The ICO will always get around to reported data breaches, and breached organisations will always have work to do whether it’s made public or not.
Breach management as a service
Unsure about how you should approach your data breach notification requirements? Our Breach Management as a Service package provides the help you need.
Our team of experienced data privacy lawyers and DPOs (data protection officers) will work with you to complete a range of tasks, such as:
- Creating and maintaining a breach log, as per the ICO’s guidelines;
- Liaising with your organisation’s DPO to ensure policies are consistent;
- Advising you on your business continuity planning and organisational learning strategies; and
- Reviewing your organisation’s internal report process to ensure breaches are recognised and reported in a timely and appropriate manner.
We’ll also provide dedicated support when and if you suffer a breach, helping you assess what went wrong, determining whether it needs to be reported, advising you on the immediate steps you should take to mitigate the damage, liaising with data subjects and conducting forensic analysis.