In the summer of 2018, British shoppers found out that hackers had planted malware onto 5,390 point-of-sale payment tills at the high street stores of Currys PC World and Dixons Travel, and stolen the personal data records of 1.2 million individuals, and 5.6 million payment card details.
An investigation uncovered that the data was stolen between 24 July 2017 and 25 April 2018, and determined a number of security failings on parent company DSG Retail’s part, in including:
- The point-of-sale (POS) systems were not segregated from the wider Dixons corporate network. Network segmentation could have help contain the compromise to just a part of the network.
- There was no local firewall configured on the POS terminals.
- Inadequate software patching of DSG’s domain controllers and the systems used to administrate them.
- A lack of regular scanning to identify vulnerabilities on the network.
- Not all POS terminals were properly configured with application whitelisting to prevent unauthorised code from running.
- A lack of logging and monitoring systems to identify incidents and respond in a timely fashion.
- Some POS terminals were running out-of-date software. For instance, an eight-year-old version of Java.
- DSG’s outdated POS system did not support Point to Point Encryption.
This week the Information Commissioner’s Office (ICO) announced that it was fining DSG Retail £500,000.
What struck me, however, is that the fine could have been much MUCH worse for DSG Retail if the hack had gone unnoticed for just one more month.
You see, on May 25 2018 (just one month after the hack of the POS terminals was spotted) the EU’s GDPR legislation came into law. And if a firm is found to have violated GDPR they can be fined up to €20 million or up to 4% of their annual worldwide turnover, whichever is greater.
As it was the ICO hit DSG Retail with the highest fine it could under the pre-GDPR legislation, but as Steve Eckersley, the ICO’s Director of Investigations, explained the fine would have been considerably higher if the hack had taken place under the GDPR.
“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
You can hear more about what we had to say at the time about the Currys PC World/Dixons Travel data breach in this episode of the “Smashing Security” podcast, with technology journalist Geoff White: