ICO investigation into Dixons Carphone’s data breach

On the 13 June 2018 Dixons Carphone released a statement that 5.9 million payment cards and 1.2 million personal data records had potentially been compromised.

It has since transpired that only 105,000 non-EU issued payment card details without chip and pin protection were leaked. These customers have been notified and the appropriate measures to ensure security have been followed. Dixons Carphone has said that, although the data has been leaked, there is no evidence that the card holders have been the victims of fraud as a result.

However, Chris Boyd, lead malware analyst at Malwarebytes, has expressed worries that the release of the 1.2 million personal data records will increase phishing attempts.

GCHQ, Britain’s intelligence and security service, are currently investigating the breach alongside the National Cyber Security Centre and the Financial Conduct Authority. Part of their investigations will be to determine which data protection laws apply (the 1998 Act or the 2018 Act), taking into account both when the incident happened and when it was discovered.

The determination of this will be of huge importance to Dixons Carphone since the coming into force of the Data Protection Act 2018 as maximum fines for data breaches have risen from £500,000 (under 1998 Act) to €20 million or 4% of global turnover (whichever is greater). It appears that as it stands, as the breach occurred last year, it is likely to be reviewed in light of the provisions of the 1998 Act rather than the 2018 Act, which should be of at least some relief to Dixons Carphone who have also just announced a 23.6% drop in its pre-tax profits.

Dixons Carphone has received wide criticism for not ‘learning’ from its subsidiary Carphone Warehouse’s data breach in 2015, which resulted in it being fined a record £400,000. Companies must learn from others’ mistakes before it is too late and take data protection seriously to avoid considerably less forgiving new penalties that could be imposed.