back to article Sueball over breach of more than 5 million payment cards at Dixons Carphone hit for six

A Brit who tried to sue Dixons Carphone over the 2018 hack of 10 million customers' details, including 5.9 million payment cards, has had his case booted out of the High Court. Not only was Cardix owner DSG Retail Ltd almost completely successful in its application to strike out Darren Warren's case against it, the one count …

  1. wjake
    Flame

    Home Page Image

    That's a baseball, not a cricket ball!

  2. Mike 137 Silver badge

    Unfortunately...

    Sadly, that seems to be an impeccable judgement according to current law, given the bases for the action. However Article 82 of the GDPR provides for judicial remedy and compensation for "material or non-material damage as a result of an infringement of this Regulation", so maybe Warren just made the wrong choice of cause.

    1. macjules

      Re: Unfortunately...

      +1 since you beat me to it.

    2. Richard 12 Silver badge

      Re: Unfortunately...

      Evidently poor lawyers.

    3. CharlieSquared

      Re: Unfortunately...

      Warren can't sue for breach of GDPR, or UKGDPR, because the offending infringement happened prior to GDPR becoming applicable (the cyber attack in question was between 24 July 2017 and 25 April 2018). However, he is still suing for breach of the Data Protection Act 1998, as this is the residual head of claim, which, after the other heads were struck out, has been transferred to the County Court for trial.

      1. Alan Brown Silver badge

        Re: Unfortunately...

        Yup

        THIS case might have been thrown out for lack of applicable law, but any _future_ breaches will be fair game and this decision effectively doesn't set precedent because the law has changed since the event occurred

        I'll guarantee that defence lawyers do try to point to it in future and I'm hoping in such a case they get spanked hard

  3. Richard Jones 1

    Makes Cash Payments Sound Superior

    At least with cash, there is nothing for a crook to hold against the unfortunate customer. Only the careless merchant suffers, which in the case of DSG makes it something of a rare case. Usually, it is the customer who suffers after dealing with them.

  4. sictransit

    Big costs implications

    Significant because “misuse of private information” and “breach of confidence” claims can be covered by after-the-event insurance for legal costs, but a pure data protection claim is not similarly insurable, exposing claimants to defendants’ potentially huge costs (as well as their own) if they lose. https://panopticonblog.com/2021/07/30/important-new-high-court-judgment-on-data-breach-litigation/ So narrowing the scope like this strongly deters speculative claims.

  5. Pascal Monett Silver badge
    Mushroom

    Although I understand the judge's judgement . .

    . . and I accept that said judgement was made with respect to the law, I still find myself frustrated that a multi-million data breach from a company raking in almost £5B results in punishment that represents barely a pitiful 1 hour of annual revenue.

    Come on ! If the fines do not become significant, nobody will make the effort to secure properly !

    1. tiggity Silver badge

      Re: Although I understand the judge's judgement . .

      Exactly, companies know they can get away with not spending on security as any fines are too often the merest slap on the wrist so no incentive to care about customer data.

      I was irked by:

      "If a burglar enters my home through an open window (carelessly left open by me) and steals my son's bank statements, it makes little sense to describe this as a 'misuse of private information' by me."

      As most insurance companies will say its your fault for any theft in that situation (& not pay your losses) as you made insufficient attempt to make your property secure.

      1. Anonymous Coward
        Anonymous Coward

        Re: Although I understand the judge's judgement . .

        "If a burglar enters my home through an open window (carelessly left open by me) and steals my son's bank statements, it makes little sense to describe this as a 'misuse of private information' by me."

        Can't say I agree with this judgment, seems very poor in its conclusions.

        The statement is not a good comparison, because there is a clear implication 'expectation' when giving over payment details to companies such as Dixons, that they will be stored securely (with experts looking at the problem), because this is fundamental to the reputation of the business, and because the business itself is a high profile target, due to the amount of data they hold on customers.

        It's clearly not the same as an open window on a home that is carelessly left open, which by comparison is fairly low down the scale of targets (by comparison), for such types of data theft.

        Much like a bank, Dixons knew they would be high profile targets for such data thefts, yet in effect, their lack of due diligence in terms of security amounted to an open window, with bank statements in full view of the window (so to speak).

        1. katrinab Silver badge
          Meh

          Re: Although I understand the judge's judgement . .

          Sure, but they were fined for it, so legally speaking, they didn’t get away with it.

          You can argue that the fine wasn’t big enough, and I will agree with you on that, but that’s a different issue.

    2. The Dogs Meevonks Silver badge

      Re: Although I understand the judge's judgement . .

      I've said for so long that it's become almost tiresome to keep repeating myself...

      "Until companies are penalised to such an extent that it becomes unprofitable to flout the rules/regulations/laws... they will continue to do so with impunity."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like