ICO imposes maximum pre-GDPR fine on major UK retailer: cybersecurity lessons for retailers (and other organisations
Last month the Information Commissioner's Office (ICO), the UK data protection regulator, imposed a monetary penalty notice of £500,000 on electronics retailer DSG Retail Limited (DSG), a company better known by its trading brands, such as Currys PC World and Dixons Travel. DSG is a subsidiary of Dixons Carphone plc.
The personal data breach occurred during a compromise of DSG's systems in the time period between 24 July 2017 to 25 April 2018. As this was prior to the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, the maximum penalty available to the ICO under the former Data Protection Act 1998 (DPA 1998) was a fine of £500,000.
The ICO's decision to impose the maximum penalty is another clear example of the fact that the ICO is determined to use its fining powers when it considers it appropriate and to impose high fines for what it considers to be serious failures. This strategy is also evidenced by the ICO's notices of intent of July 2019 to fine British Airways £183,390,000 and Marriott International £99,200,000 for personal data breaches that, according to the ICO, resulted at least partly from failures to comply with the data security requirements of the GDPR (although, obviously, we need to wait for the ICO's final Monetary Penalty Notices in these cases to confirm the amounts of the fines that the ICO will impose in the end).
It should be noted that, according to a statement to the London Stock Exchange on 9 January 2020 (the same date as the ICO monetary penalty notice), DSG's CEO stated that DSG is disappointed in some of the ICO's key findings which it has previously challenged and continues to dispute, and is considering its grounds for appeal. On 6 February 2020 it was reported that DSG is appealing the fine.
A Point of Sale compromise
As explained in the ICO's monetary penalty notice, DSG was alerted to an issue with its computer systems by external intelligence received on 5 April 2018. DSG commissioned a specialist security team to respond, which confirmed that a malicious third party had compromised the systems and had taken control of multiple domain administrator accounts.
This enabled the attacker to install malware on 5,390 Point of Sale (POS) terminals in Currys PC World and Dixons Travel Stores, thus allowing them to harvest a variety of details from a total of 5,646,417 payment cards.
In addition, the attacker exfiltrated data from DSG's internal servers, including records relating to approximately 14 million data subjects, containing non-financial information (e.g. name, postal addresses, mobile and home phone numbers, email addresses, dates of birth and failed credit checks).
The cyber incident was fully contained in June 2018, once remedial measures were implemented.
The relevance of PCI DSS
DSG, as a retailer processing credit card information, was required to comply with the Payment Card Industry Data Security Standard (PCI DSS).
For those not familiar with PCI DSS, it is an information security standard for organisations that handle payment cards from the major payment card schemes. It is imposed on merchants and banks by the card brands and administered by the Payment Card Industry Security Standards Council. In a nutshell, PCI DSS sets out operational security measures required in the payment card environment, requires regular validation of compliance through prescribed means, and sets out sanctions, including fines, for compliance failures. Approached from a personal data/GDPR point of view, PCI DSS is, in effect, a parallel data security regime for payment card data. At the same time, it is the information security standard that fleshes out the meaning of "appropriate technical and organisational measures" when it comes to the security of payment card data, as evidenced by the ICO's decision in DSG and previously stated in the ICO guidance.
According to the ICO notice of intent, between 9 and 11 May 2017 an information security consultancy instructed by DSG carried out an assessment of the POS terminals in Dixons and Carphone stores. They found multiple critical vulnerabilities, demonstrating that DSG were not compliant with PCI DSS. However, despite the serious issues uncovered by the assessment, DSG did not expedite the process of bringing its security up to the required standards – and the ICO considered this to be a relevant factor in reaching its decision on whether to impose the monetary penalty notice on DSG. This is a useful reminder that it is very difficult to defend failures to act on known issues (e.g. identified through an audit or in the context of a previous incident or breach) and this will be an aggravating factor in the context of regulatory investigations, litigation or when claiming under insurance policies, as well as from a PR point of view.
The decision is a reminder to organisations that, firstly, the ICO can (and does in our experience) ask for all and any relevant reports – so even advice received from IT security advisers prior to the data breach can end up informing the ICO's decision. This does not extend to advice that is protected (for instance, legally privileged advice), although in practice organisations may decide to disclose it. Secondly, that it is wise to act on advice, especially when it is pointing to deficiencies in security infrastructure. If you choose not to, and a related breach occurs, the inaction despite corporate knowledge is an aggravating factor.
As mentioned above, the monetary penalty notice stated that the ICO took PCI DSS into account in determining whether appropriate security was in place. Although the decision was made under the DPA 1998, the GDPR sets out the same requirement, for both controllers and processors, to apply appropriate technical and organisational measures to keep personal data secure. Therefore, compliance with PCI DSS continues to be the information security standard for retailers and other merchants to attain in relation to any payment card data they process. This aspect of the decision is a clear reminder of the importance of information security standards, such as PCI DSS and the ISO 27000 series, in fleshing out the high-level security requirements of the GDPR (and other legislation that sets out data or system security requirements, such as the EU e-Privacy Directive/UK e-Privacy Regulations and the EU NIS Directive/UK NIS Regulations). In our opinion, regulators (and courts) will also look increasingly at the guidance of expert organisations and centres of excellence, such as the UK National Cybersecurity Centre (NCSC) to flesh out the meaning of "appropriate" in particular contexts, e.g. in relation to good password management, phishing emails or software patching.
Data security: what "Good" looks like
As in previous decisions, the ICO includes detail of the failures that it identified in relation to data security in the DSG systems. The issues identified provide clarity regarding the basic minimum standards that the ICO will expect in similar contexts.
According to the ICO, DSG's security failures included:
- insufficient network segregation (which otherwise could have contained the incident and stopped it from spreading from one section of the network to another);
- lack of local firewall configured on the POS terminals (which could have prevented unauthorised access to the POS system and/or exfiltration of data, or at least could have meant the attacker left a larger footprint and so was more easily detected);
- software patching was systemically inadequate and not even compliant with DSG's own policy on the POS terminals (an issue which had been flagged specifically in the PCI DSS assessment, above);
- vulnerability scanning was not performed on a regular basis;
- failure to manage application whitelisting correctly across the POS terminals;
- lack of an effective system of logging and monitoring to identify and respond to incidents;
- outdated software deployed on the POS systems and not effectively managed;
- outdated POS systems did not support Point to Point Encryption (P2Pe), which would have prevented access to the plain text card data;
- failure to manage the security of its domain administrator accounts, including failures to adhere to its own policies and controls; and
- failure to implement standard builds for all system components based on industry standard hardening guidance.