Perhaps a £500k fine, individual apologies to those affected and a well publicised public apology to encourage the others to do better.
Attackers have 16-digit card numbers, expiry dates, but not names. Now org gets £500k fine
The UK's data protection watchdog has scored a small win in a lengthy legal battle against a British retail group that lost millions of data records during a 2017 breach. You can read Lord Justice Warby's decision, handed down yesterday, here [PDF]. The Information Commissioner's Office (ICO) originally fined DSG Retail £500, …
-
-
-
-
Friday 20th February 2026 12:28 GMT rwbthatisme
Yes cards may be expired, but they also have predictable expiry dates so a reasonable chunk of the pcn's will still be valid and if you have the historic expiry date & can make a good assumption on the current renewal date given the card issuer cycle. Similarly if you perhaps had access to the web of darkness where you could probably cross match the last four digits (which is the CRC / Luhn) to other lists where retailers have retained the last 4 digits in plain & expiry. With such a large dataset even a <1% is too many.
-
Friday 20th February 2026 13:41 GMT Anonymous Coward
My last few card renewals for bank and credit cards appear to have had some sort of pattern of modest incrementation on the last three digits. Maybe that's just chance, but those appear to be the only numbers that change between cards for me with this issuer.
Of the 16 digits, the first six are issuer ID, so definitely won't change. Looks to me like the next six/seven are personal identifiers for my account so don't change card between issues, and working out the incrementation on the remaining three digits won't be hard if there's historic breach data for my issuer or if the crims have accounts with said issuer themselves. So knowing my old card number and expiry, plus the validity of new cards and it's looking a bit of an open door, even if they needed to brute force the number that's not going to be too hard.
-
-
Saturday 21st February 2026 23:02 GMT nobody who matters
If the details don't change, I would suggest changing card provider. I only have one payment card, and when it is due to expire I get sent a replacement (usually significantly in advance of the existing card's expiry date, and with an earlier expiry date on it - the old card is rendered invalid after first use of its replacement), and the last four of the 16 digit number change, along with the three digit verification code.
-
Monday 23rd February 2026 10:11 GMT Roland6
Amex?
But then they change the 4 digit issue code.
With my (uk) high st bank cards the change of the last four digits has been happening since before Covid. I’ve also noted the old card doesn’t automatically get cancelled on the expiry date, instead I get the option to review transactions, to enable me to identify forgotten regular payments.
“Nobody that matters” is correct, the new card will have a start date prior to the expiry of the old card; first use of new card expires old card.
-
-
-
-
-
-
-
Friday 20th February 2026 10:55 GMT Aaiieeee
"DSG acknowledges that it, as an organization, could make the link between the card data and real individuals, but says the attackers could not."
The fact that malware was installed on 5390 tills means that whatever DSG 'acknowledges' is irrelevant because they are fucking useless.
They failed their customers in their role as a data controller so on that basis should get a massive fine.
-
Friday 20th February 2026 12:06 GMT Like a badger
They should get a massive fine, but £500k is half a percent of last year's after tax profit. That won't sting. Moreover the BASTARDS have taken this all the way to highest court because they earnestly believe they somehow weren't at fault and shouldn't even pay that token. If you want to see if a business doesn't care about its customers, see how it reacts to a regulator's judgement. Dixons/Currys couldn't give a shit about their customers data going AWOL, and they think an appropriate sanction for their failings should be "nothing".
-
Sunday 22nd February 2026 14:30 GMT Crypto Monad
> "DSG acknowledges that it, as an organization, could make the link between the card data and real individuals, but says the attackers could not."
And by Curry's logic: if they had also lost your National Insurance Number, your date of birth, your telephone number, your E-mail address, or your shoe size, none of that would be personal information either.
-
-
Friday 20th February 2026 10:56 GMT Emir Al Weeq
PC world and hard discs
Many many moons ago I bought a USB hard disc from PC World. I backed up personal docs (nothing too private) that I planned to store off-site (parents' house).
It died after about a week so I returned it and was offered a replacement. I asked what would happen to the first unit with all my data on it and was assured that it would be destroyed.
I took the replacement unit home whereupon I noticed signs that the packaging had been opened before. I plugged it in and was presented with someone else's files.
I complained and raised by concerns about my data on the first disc. Never heard back, never used that shit show again. I didn't know Currys were part of the same group and may have used them since; bollox!
-
Friday 20th February 2026 14:08 GMT heyrick
Re: PC world and hard discs
"I plugged it in and was presented with someone else's files."
I can't help but think that that's when you take a very brief look to see if there's anything "of interest" (like bank info or photos of children) and then take the whole story to somebody shouty like The Daily Fail. This is basic negligence and needs to be called out.
-
Friday 20th February 2026 14:56 GMT Graham Cobb
Re: PC world and hard discs
Appalling behaviour by PC World, of course. But I do recommend disk encryption for all hard disks. Partly to avoid what you describe, but also so that when the disk dies (or I replace it because it is too small) I can just discard (or sell or give to someone else) it without bothering to erase/overwrite the content. Once I remove the password from my password manager the data has gone - no one (even me) is getting that back again.
Personally I encrypt at the partition level - I don't encrypt the partition table or the grub, EFI and boot partitions but the data, swap and tmp partitions are each encrypted with their own keys (which live on a thumbdrive to be available for boot).
-
Friday 20th February 2026 15:07 GMT Mr Dogshit
Re: PC world and hard discs
Well there's a surprise.
Anyway, they wouldn't have destroyed that HDD at all. It would still have been under warranty with the manufacturer, so they would have sent it back to Seagate or Western Digital or whoever and gotten a replacement. Your faulty HDD would have then gone to somewhere in the Far East and refurbished.
-
Saturday 21st February 2026 07:48 GMT Anonymous Coward
Re: PC world and hard discs
Ah, happy memories of the pink second-hand Samsung (IIRC) flip phone I bought for the missus in the local (then) market.
The previous owner had clearly been sending mammary-related selfies to at least one contact. The thoughts of some potentially very profitable blackmail did cross my mind, but I decided not to.
Pretty decent pic, though.
-
Sunday 22nd February 2026 10:30 GMT anthonyhegedus
Re: PC world and hard discs
This is typical of that shitshow. About 15 years ago I knew someone who was having problems with his laptop but it was well out of warranty. I remember asking him why his user name was a different name from his, and why he had a bunch of spreadsheets despite the fact that I knew he didn’t do spreadsheets. His answer: “it came like that - I just assumed it was like demo files or something”.
On investigation, it turned out that the laptop was first used about a year before he’d bought it. It had obviously been returned and sold by that PC World as “New”.
He tried to take it back but they weren’t having any of it.
I know that this was 15 years ago, but I can’t see that they’d have changed. It’s ingrained in their company culture.
-
Sunday 22nd February 2026 20:00 GMT Noram
Re: PC world and hard discs
It seems to have been DSG standard for *checks date and thinks* 35 years at least to send out returned stock as new. Not sure if it's official policy, individual managers, or shear and utter incompetence.
I had a SNES (yes that long ago) that failed, it took something like 5 returns to get one that was actually new and sealed (after raising my voice a little so that other customers in the busy store could hear what was going on), one of the supposedly "new" units I got as a replacement was the one I'd returned 3 days earlier having had it fail at about a day old.
IIRC the replacements were: Cake crumbs and grease all over, faulty and got stuck in a loop when turning on Mario All Stars (the character kept falling forever, it took about an hour with the "assistant" comparing their store demo snes with the one I'd got, repeatedly to agree that yes, it was a fault, and no turning it off and on again, or blowing the contacts wasn't going to fix it), another failed unit, the one with the infinite princess loop (same serial number, i'd gotten smart and noted them down and checked in the store).
About the only thing I've bought from them since has been things like urgently needed cables when there has been no other store open that sells them, and I can't wait until the next morning (so about twice in 30 years and one if those was them having reduced the price to well under normal retail to clear them as the packaging was changing).
A friend returned a laptop for repair under warranty, was checking on it weekly being told "it was at the manufacturers getting fixed", apparently on something like week 5 he spotted it on the shelf behind the CS/service/repairs counter with a post it saying "don't let MR Smith know we hadn't sent it off yet", I think he started pointing out the consumer rights act on them at that point.
-
Monday 23rd February 2026 08:40 GMT JT_3K
Re: PC world and hard discs
Being that it's now incredibly hard to get real USB HDDs and memory sticks from Amazon* without being scammed, and eBuyer has gone, I expect I'd be headed here for a memory stick if I needed one. That said, I hate going in there, hate being "upsold" repeatedly by someone who just won't take the hint that I'm not falling for their lies and despise giving DSG any money.
* Having been burned with dodgy firmware "upsized" ones and not-from-that-manufacturer clones, I finally stopped trusting Amazon for "official" products when the seemingly official "Oral B shop" sent me counterfeit toothbrush heads that were noisy as hell and shredded bristles.
-
-
-
-
-
-
Friday 20th February 2026 12:14 GMT Anonymous Coward
They don't want to establish precedent
Actually they do, just not a legal one. What they are trying to do is put the resource poor ICO under pressure, in the hope that the regulator thinks that DSG will always push back hard, and so becomes more reluctant to take them on in future. I've seen similar with a big US firm threatening the UK regulator I work for with a judicial review over a dispute. For them that's simply a few bob of already budgeted legal fees, a cost of doing business. For us, we've got a handful of low paid lawyers, no budget for high end external legal advice; being dragged to court bogs us down, and comes with notable risks because so much legislation is either sloppily drafted or was drafted so long ago that it doesn't apply well to the current world. We did face down that US tech company and they backed off, but it does show the corporate mind set of some companies.
-
-
-
Friday 20th February 2026 12:16 GMT Charlie Clark
Incedible decision by the upper tier in the first place
Personal data is anything that can be used to identify someone. But the identification isn't some kind of general activity, it's always in context. This is why what is considered personal data, and I think the term is personally attributable data, includes telephone numbers, ip addresses, number plates, account numbers, DNA, fingerprints, etc. Should have been a slam dunk decision affirming those of the previous courts.
-
Friday 20th February 2026 15:09 GMT Roland6
Re: Incedible decision by the upper tier in the first place
The question being debated is who is using the data and thus the viewpoint taken. The ICO are saying the relevant viewpoint is that of the data controller, namely DSG, who could use the card information to identify an individual. DSG were arguing from the perspective of the hacker, who gained possession of the card number but not the name on the card.
This is one of those cases where I’m happy to be using a payment processor: my system gives the payment processor a transaction reference and the amount owed, the payment processor handles all the card details and returns to me an authorisation code, to confirm payment has been received.
-
Friday 20th February 2026 22:20 GMT Richard 12
Re: Incedible decision by the upper tier in the first place
The upper tier ruling was wrong on every count. In reality it doesn't matter which viewpoint.
A card number itself nearly perfectly identifies a specific individual.
In fact, the card number is far better at identifying an individual than a name - almost all cards have exactly one cardholder, but thousands of people have the same name!
As Lord Justice Warby points out, that card number also allows the attacker to perfectly tie together (stolen or otherwise) data from many other sources.
-
-
Monday 23rd February 2026 10:44 GMT Roland6
Re: Incedible decision by the upper tier in the first place
That has been one of the notable changes in online payments processing: old sites which took card details and only then displayed the payment authorisation dialog box and the newer sites which pass you over to the payment processor once you selected “pay by card” and so see none of your card details.
Asidr: I wonder whether PCWorld’s POS terminals were running Windows Embedded, OS/2 or something else.
-
Monday 23rd February 2026 11:42 GMT Roland6
Re: Incedible decision by the upper tier in the first place
Done some further digging, seems the PCEorld POS terminals were running Windows and it is believed due to non-existent firewalls attackers were able to gain access to a domain administrators account and thus gain access to the POS terminals.
-
-
-
-
Monday 23rd February 2026 10:07 GMT 0laf
Re: Incedible decision by the upper tier in the first place
Indeed you are supposed to carry out due dilligence on all your sub-processors.
Buuut, in this case the act was committed before the GDPR /UK-GDPR was in place and the the flow down of responsibilities was not so clear in the older legislation.
This case is being held against the DPA 1998 not the current laws 500k is the max fine for this one
-
-
-
-
-
-
Friday 20th February 2026 13:29 GMT Lee D
Re: UK data protection continues
Apple Pay? Seriously?
Yes, use the company that still provides absolutely zero GDPR guarantees despite being asked for nearly a decade now to do so.
You know your iCloud? It's an AWS, Azure, etc. storage. Where? Apple won't even say. Does Apple pass on the same jurisdictional requirements for where that data is stored to you? Nobody knows.
Literally, they refuse to tell you where your data is stored, or on what services, or in what countries, or what laws it's subject to.
So, yeah, go put all your eggs in the Apple basket, because they clearly "respect" data protection law, right?
P.S. don't believe the "AI" answer on the search engines... go and find an GDPR policy. And one that states they're GDPR compliant rather than weaselwords which give absolutely no definitive statement to that effect.
-
Friday 20th February 2026 14:25 GMT Anonymous Coward
Re: UK data protection continues
"Does Apple pass on the same jurisdictional requirements for where that data is stored to you?"
That doesn't matter. For data protection purposes, the jurisdiction that applies is the one where the Data Controller is located.
Apple can store and process your Personal Data wherever they want. The location of the datacentre with the spinning rust that's holding your data is irrelevant. The data will be within the remit of Ireland's Data Protection Authority because that's where Apple's resident for tax purposes - just like Facebook, google and the others. This explains why Ireland gets to rake in billions for Big Tech's data protection breaches.
-
-
Sunday 22nd February 2026 13:23 GMT jwatkins
Re: UK data protection continues
It is this small print contract that needs to be regulated. If you are a UK citizen, then it should not be possible for you to have a personal contract with a company in a foreign jurisdiction. If I buy something from Apple, it has to be Apple UK (whatever they say), similarly with Amazon, etc. That would also fix the taxation leakage :-)
-
Sunday 22nd February 2026 14:37 GMT Anonymous Coward
Re: UK data protection continues
That would also fix the taxation leakage :-)
Sadly not. ${Company}* UK will have a contract with ${Company}* ${Ext}** which means that it has to pay sufficient external royalties, licence fees etc such that it's profit in the UK is almost exactly zero.
* replace with Starbucks, Apple, or any multinational company of your choice
** replace with US or an intermediate tax haven country of your choice
-
-
-
-
-
Friday 20th February 2026 21:30 GMT DaveK23
Re: UK data protection continues
The ICO is fucked. Your data protection rights mean nothing and every DPO I have ever had dealings with won't hesitate to falsify, withhold and fraudulently over-redact data in order to cover up organisational wrongdoing.
Meanwhile the ICO's estimated lead times have just increased from 29 to 40 weeks - and that's just the time to initially assign a handler to your case.
My girlfriend filed a complaint about Beds, Cambs and Herts police's joint data protection team not bothering to respond to an SAR in time. (They just sent her a notice saying they couldn't even provide a timescale for responding. It's been three months now). SARs to law enforcement are what's known as part 3 requests, because they are governed by part 3 of DPA 2018, about which the law states that they "may not be extended for any reason".
The ICO decided that they weren't going to investigate. No explanation, they just had no interest.
What is the point of them even existing?
-
Saturday 21st February 2026 13:43 GMT Anonymous Coward
Re: UK data protection continues
> Your data protection rights mean nothing and every DPO I have ever had dealings with won't hesitate to falsify, withhold and fraudulently over-redact data in order to cover up organisational wrongdoing.
Yupe, been there seen that many many times.
When investigating any complaint the ICO will, by default, accept whatever the organisation tells them as fact/truth. Unless you have documentary evidence to disprove whatever they tell the ICO you'll not get far with your complaint.
Even on some occasions where I've been able to obviously catch an organisation in a lie (regarding a data protection matter) the ICO has not acted upon this.
> Meanwhile the ICO's estimated lead times have just increased from 29 to 40 weeks - and that's just the time to initially assign a handler to your case.
Yupe. I've had an FOI complaint that was accepted for investigation in September last year and I was recently told it won't be assigned a case officer until April.
> The ICO decided that they weren't going to investigate. No explanation, they just had no interest.
Unfortunately the ICO can decide what they are going to or not going to investigate, they are not required to investigate all complaints (or all parts of a complaint). See my AC comment further down about UK DPA 1998 potential criminal offences.
I have found the FOI side of the ICO to be a little bit better than the Data Protection side with regard to handling of cases.
-
Saturday 21st February 2026 22:42 GMT Alan Brown
Re: UK data protection continues
I've spoken off the record to ICO staff (usually after the've submitted their resignations in disgust)
The policy is deliberate and comes from the top. The ICO's primary function is simply to exist and appear to be complying with EU rules
We're no longer in the EU, but the attitude prevails - and this has been the norm under governments from either side of the aisle
-
-
-
Friday 20th February 2026 13:27 GMT anthonyhegedus
Typical
Currys/DSG always were useless technically. Their whole culture is that disregard for the law is ingrained in their staff. They've always been known for selling used kit as new, for disregarding warranties, for upselling pointless store-brand service plans and so on. It's no wonder that their security is lax enough to allow this sort of thing to happen.
-
Friday 20th February 2026 14:19 GMT heyrick
Half the time, the card number/date/check is all that's necessary to buy stuff online. Often the cardholder's name isn't requested, and it's a bit hit and miss whether or not the bank app will require a secure authorisation to let the payment go through. So, names or not, this was a monumental screw up and I'm rather surprised that whoever provides their card handling hasn't revoked that until they can prove their systems are secure.
Furthermore, why did the tills even have this information? The tills here have a little card reader that you put your card and PIN into. This gives the till an authorisation code and obfuscated card details like 4040********1234 which is what gets put in the receipt. The till itself doesn't need to know the card info, just whether or not the payment was approved and a reference number for accounting.
Was this some home-grown "solution" outsourced to the lowest bidder?
-
Friday 20th February 2026 14:47 GMT Roland6
Suspect the tills were inherently from the legacy Dixon and Curry’s stores and hence were from a time when security meant something slightly different to what it does today. Hence a relevant question is when did DSG do a com-Pete till refresh.
Haven’t purchased anything recently from my local PC World, but certainly before lockdown, I had to ask for a VAT receipt before they took the transaction, as only one of their tills could produce the relevant receipt - I think it was the one connected to the Curry’s system…
-
-
Friday 20th February 2026 16:58 GMT Tron
It isn't possible to secure data.
No matter how much cash you throw at it, if someone wants your data, they will get it. The software is too bug ridden and too complex, and there is simply not the infosec talent out there to protect data. So as I have said on here before, data is a risk, not an asset. If you hold a honey pot of data, it may only be a matter of time before you are screwed over by hackers and then again by the ICO.
There is also the ethical issue of punishing a victim of crime. DSG wore a short skirt and got raped.
I'm not supporting the idea that you can be lazy about security, but that we need to be more discriminating with culpability.
-
Monday 23rd February 2026 14:41 GMT NiteDragon
Re: It isn't possible to secure data.
"DSG wore a short skirt and got r**ed."
Nope. The customers got screwed. DSG are currently being inconvenienced by a tiny fine for essentially inviting the criminals in, bending those customer over (without their consent or knowledge), providing lube and looking away for 9 months. Their defence is that, as the criminals couldn't see the faces, that DSG are innocent and can do this again whenever they like. To summarise the important bit:
"
Important to the case is the nature of the data that was stolen. Hackers installed malware on 5,390 tills across consumer electronics stores Currys PC World and Dixons Travel, both of which DSG owns.
The malware went unnoticed for nine months, hoovering up 5.6 million payment card details and the personal information belonging to around 14 million people, the ICO confirmed when issuing its MPN.
Then-commissioner Steve Eckersley said at the time that the ICO's findings were "concerning" and related to "basic, commonplace security measures," that ultimately showed "a complete disregard" for customers' data.
"
DSG is not the victim here. You don't get that many systems compromised and unnoticed for that long without some seriously bad security practices (if they even exist). While systems are hard to secure, that doesn't mean not bothering at all is "okay".
-
-
Friday 20th February 2026 17:02 GMT Anonymous Coward
Mystery solved!
A few weeks back my banking app warned me that there had been an attempt to use an expired card (from about ten years ago).
When I looked at the detail it was for 0 quid. Must have been to see if it would clear first and then hit me for big bux.
Now I know why. I assumed it was a historical data leak and I already wondered why it hadn't happened before.
-
Saturday 21st February 2026 01:41 GMT Anonymous Coward
Interesting to see the ICO currently involved in an issue that occurred when the previous law (UK DPA 1998) was in effect.
I raised 2 data protection complaints with the ICO in 2021 which partly covered issues that occurred under the previous law. The ICO case officer who dealt with both complaints refused to investigate any of the matters that occurred prior to 25th May 2018 (when GDPR came into effect) - when I queried this I was told "the ICO no longer has any powers to investigate matters that occurred when the previous law was in effect".
Several months later I noticed a story on the ICO's own website about them taking action regarding something that did happen under the previous law. When I again queried the case officer and pointed out this (unrelated) case the case officer revised her previous response to be instead "the ICO does have powers to investigate matters that occurred when the previous law was in effect but it is ICO policy to not do so unless the matters involve criminal offences".
I then pointed out to the case officer that my complaints *did* mention potential criminal offences and the case officer again revised her response to be "it is ICO policy to not investigate matters that occurred when the previous law was in effect unless the matters involve criminal offences and unless the ICO receive sufficient complaints". Obviously the ICO didn't deem a single complaint (mine) to be 'sufficient'.
-
-
Sunday 22nd February 2026 09:02 GMT MJB7
Re: I wonder
I don't think sunk cost fallacy applies here. It would be economically rational to spend £499,999 more to avoid a £500,000 fine. All the previous costs are sunk, and while they might regret spending them, the question is "how much to spend now?".
Actually it's more like "rational to spend £249k for a 50% chance of avoiding a £500k fine", and I suspect an appeal to the Supreme Court would cost more than that.
-
-
Monday 23rd February 2026 11:48 GMT El Patron
Theft of data
Hi
Ex cop turned into cyber vigilante.
Wouldn't this be theft? If I remember correctly from my old constable days, theft is defined as "the dishonest appropriation of property belonging to another with the intention of permanently depriving the other of it". Sure an argument exist here if the data is or is not PII (personally I don't think it is) however what it is clear to me is that data has been stolen.
I guess the ICO is going against PC World because going against the perpetrators is much much harder.
-
Tuesday 24th February 2026 04:32 GMT logicalextreme
Re: Theft of data
Different orgs for different purposes. Theft and hacking would be the home office, fraud the SFO. This is about the legal (well, lawful I guess) obligations to secure personal data.
I'll analogise with cars (even though I hate them) because they seem to resonate with people. If you leave your car with valet parking and they leave the keys in it and it gets nicked by a third party, you'd likely pursue a civil claim against the parking operators. A crime was also committed, but if the plod catches the thief and the parking operator keeps leaving the keys in vehicles, not much gets better. Ideally you go after both with the appropriate organisations — no idea what chasing the perps would fall under in this case but probably Computer Misuse Act or some later addition if domestic.
That's the idea behind the ICO and such bodies and the associated laws and regs anyway. They're pretty crap when they meet reality. In the realm of the Internet at least you need PCI/DSS accreditation if you're going to be processing card data in any way, and you're at risk of having your accreditation revoked for an audit failure unless you're big enough to buy them off. That's a sidenote, but I can tell you that PCI/DSS teaches you to protect and freak out about 16-digit numbers.
There's a similar culture in healthcare about NHS numbers even though they can't directly identify much about someone (YMMV on how strongly people feel about this — I've worked for third party providers that guard them like gold, seen data sharing agreements with the NHS advising similarly, but OTOH have a local phlebotomy service, entirely understand the NHS, that wants you to email your NHS number plus other details to them to book a blood test; the alternative being a phone number that they only answer for a five-minute interval each time the moon is in waxing gibbous).
-
Biting the hand that feeds IT
