Dixons fined £500,000 by ICO for crap security that exposed 5.6 million customers' payment cards Dixons Retail is facing a £500,000 penalty from the Information Commissioner’s Office (ICO) after a hacker installed malware that infected thousands of point of sale tills and scooped up 5.6 million payment card details. A probe by the UK’s data watchdog said the computer system managing the till was compromised, impacting 5, …
"Baldock added that the company is “disappointed” in some of the ICO’s “key findings” it had previously challenged and “continue to dispute”. He didn’t specify particular areas but is “considering our ground for appeal”."
Yep, let's see them appeal and then get hit with a even bigger fine for being complete twats when they lose!
This post has been deleted by its author
£500k is the biggest fine that can be levied under the old legislation. I agree it's a joke but the ICO's hands were tied and they couldn't do more.
If the breach had happened under the GDPR Dixons would have been looking at BA level fines (£183 Million).
Worked in PCW as a tech when I was a nipper, many moons ago. Everyone slagged off the old REPOS terminals but you wouldn't have had a problem with them! I was there when the first Windows-based checkouts arrived - Eclipse, I think it was called. Queues to the back of the store when the things went wrong (which was, in the words of the now-legendary Tom Jones, not unusual).
I also had the misfortune of working at one of their stores as a 'tech' during my uni days when crappy Eclipse came in. Written very badly in Java, all the machines running it on XP with full internet access and intranet access. If you raised any concerns you were just fobbed off of course. Avoided buying anything in any of their stores for over a decade now.
I asked them last year to delete any personal data they held on me, after hearing about the breach of their customer data. They have decided that to perform a GDPR deletion request I have to write a letter to their head office including ID. I have to give them more personal data to get my data deleted. They were happy for me to prove my identity with an email address when buying from them. It's legal for them to make me jump through these hoops but it's clearly done to make the process as painful as possible.
Try never to use them now, I remember the fights I used to have with them when buying stuff when they insisted on me giving them a post code/house No. even with cash purchases. I always decline (similarly requests for email etc) and have walked out the shop on more than one occasion rather than submit to their rapacious data grabbing practices.
"We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”
Always love seeing this line used by any company investigating a cyber attack or breach. Just because they have no evidence, doesn't mean it hasn't happened. The reality is that there is so much data already out in the wild, that information from multiple breaches are more likely to be combined. Therefore making it virtually impossible for any indvidual company to find "evidence" that their breach caused fraud or financial loss.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
