"The Information Commissioner's Office (ICO) originally fined DSG Retail £500,000 ($673,000) in 2020, the maximum financial penalty allowed under the Data Protection Act 1998 (DPA 1998) - the relevant legislation at the pre-GDPR time. Its monetary penalty notice (MPN) was upheld by the Court of Appeal's first-tier tribunal but later reversed by the upper tribunal [PDF], which sided with DSG Retail and, if that decision was final, would have effectively nullified the ICO's fine."
"Important to the case is the nature of the data that was stolen. Hackers installed malware on 5,390 tills across consumer electronics stores Currys PC World and Dixons Travel, both of which DSG owns. The malware went unnoticed for nine months, hoovering up 5.6 million payment card details and the personal information belonging to around 14 million people, the ICO confirmed when issuing its MPN."
"Then-commissioner Steve Eckersley said at the time that the ICO's findings were "concerning" and related to "basic, commonplace security measures," that ultimately showed "a complete disregard" for customers' data. The point of contention, central to the protracted legal case, is whether the card details the attackers scooped up could be used to identify cardholders. The trove of personal data accessed separately from the payment details is not something being debated in this case."
The Information Commissioner's Office fined DSG Retail £500,000 in 2020 under the Data Protection Act 1998. The monetary penalty was initially upheld by a first-tier tribunal but later reversed by the upper tribunal, which sided with DSG. Hackers installed malware on 5,390 tills across Currys PC World and Dixons Travel, operating unnoticed for nine months and capturing 5.6 million payment card numbers plus expiry dates and other personal information relating to about 14 million people. The central legal dispute concerns whether the 16-digit card numbers and expiry dates alone can identify cardholders. DSG contends the payment data alone did not amount to personal data.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]