The company is in the news again over a data breach concerning 5.9 Million customer payment cards, along with 1.2 Million personal records, which apparently happened almost a year ago, but has only recently been discovered and reported by the company.
This is after the 2015 data leak, which the ICO’s announcement of a GBP400,000.00 fine this year.
In the announcement, the ICO (Information Commissioner’s Office makes the statement that “The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving their data at risk of being misused.”
The commissioner, Elizabeth Denham, also quoted that “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.” (Carphone Warehouse was previously a separate company that merged with Dixons in a GBP 3.8 billion deal merging three major retail brands— Dixons, PC World, and Carphone Warehouse— into a high street powerhouse with 3,000 stores and some GBP 11 billion in sales).
At the time of writing this, it is not yet certain whether this latest breach will be dealt with under the 2018 Data Protection Act, implemented by the EU General Data Protection Regulation in UK law, or the older 1998 data protection act that has much lesser penalties available to the ICO (the updated ICO statement is here).
Implementing, and effectively managing, IT Security solutions is not a trivial exercise and does not have a trivial cost attached to it. There is a temptation to wonder if executives (of any company) might view the risk of a 400,000 fine as acceptable when compared to the cost of implementing effective security measures with the accompanying costs of software, hardware, and staff.
If the ICO determines that the latest breach is within the scope of the 2018 Act (the time of occurrence and other factors may mean that it falls under the 1998 Act), then Dixons Carphone could be looking at a fine a thousand times larger than the last one (2017 turnover of GBP 10.5 billion would mean a maximum fine of approximately GBP 423 million, 4 percent of the global turnover in that year).
As the digital space becomes more intertwined with everyone’s personal lives and personal finances, consumers/citizens must be protected from abuse of their personally identifiable information. 423 million is the kind of figure that executives are not likely to view as an acceptable risk, so hopefully, this means that those companies we trust with our personal data will pay more attention to protecting us.