back to article Dixons fined £500,000 by ICO for crap security that exposed 5.6 million customers' payment cards

Dixons Retail is facing a £500,000 penalty from the Information Commissioner’s Office (ICO) after a hacker installed malware that infected thousands of point of sale tills and scooped up 5.6 million payment card details. A probe by the UK’s data watchdog said the computer system managing the till was compromised, impacting 5, …

  1. DJV Silver badge

    Appeal

    "Baldock added that the company is “disappointed” in some of the ICO’s “key findings” it had previously challenged and “continue to dispute”. He didn’t specify particular areas but is “considering our ground for appeal”."

    Yep, let's see them appeal and then get hit with a even bigger fine for being complete twats when they lose!

    1. This post has been deleted by its author

    2. HildyJ Silver badge
      Facepalm

      Millions for lawyers but not one penny for data security

      The fine is a joke, the company is a joke, their security practices are a joke, their customers are screwed, and their management and legal team will continue to rake in the money.

      1. big_D Silver badge
        Coat

        Re: Millions for lawyers but not one penny for data security

        They probably got one of their shop-floor staff to sell them the security solution...

      2. 0laf Silver badge

        Re: Millions for lawyers but not one penny for data security

        £500k is the biggest fine that can be levied under the old legislation. I agree it's a joke but the ICO's hands were tied and they couldn't do more.

        If the breach had happened under the GDPR Dixons would have been looking at BA level fines (£183 Million).

        1. IE84

          Re: Millions for lawyers but not one penny for data security

          BA haven't been fined yet and nor have Marriott. They were an intention to fine. The ICO have been dragging their heels on both matters.

    3. OssianScotland Silver badge

      Baldock

      Are you sure that shouldn't be "Baldrick"?

      (on second thoughts, his cunning plans were of a higher quality than DSGs)

      1. DJV Silver badge

        Re: Baldock

        Whereas the DSG manglement probably couldn't find a plan (cunning or not) even if it was stapled to their foreheads.

  2. Arbuthnot the Magnificent

    DSG

    Worked in PCW as a tech when I was a nipper, many moons ago. Everyone slagged off the old REPOS terminals but you wouldn't have had a problem with them! I was there when the first Windows-based checkouts arrived - Eclipse, I think it was called. Queues to the back of the store when the things went wrong (which was, in the words of the now-legendary Tom Jones, not unusual).

    1. tin 2

      Re: DSG

      I remember that well, the staff were really struggling with it.

    2. Eccles1

      Re: DSG

      I also had the misfortune of working at one of their stores as a 'tech' during my uni days when crappy Eclipse came in. Written very badly in Java, all the machines running it on XP with full internet access and intranet access. If you raised any concerns you were just fobbed off of course. Avoided buying anything in any of their stores for over a decade now.

      1. HmmmYes

        Re: DSG

        Written in Java ... running on XP ....

        Why not just leave the doors and till open at night?

  3. ocelot

    Still running Windows XP in Jan 2020 on their tills.

    The number of obsolecence warning pop-ups flashing over the user interface when I bought a phone there the other day was scary.

    1. BogBeast

      Bad computers...

      Hope you paid cash for yout new phone !

  4. Phil Kingston

    Appealing it? They really should just suck it up, invest in a new CIO and move on.

    1. Charlie Clark Silver badge

      Why? They probably all hoping that the regulators will soon lose the few teeth they were recently given courtesy of the EU. It's not as if the ICO has any real powers to enforce payment, as the long list of unpaid fines attests to.

  5. Bendacious

    I asked them last year to delete any personal data they held on me, after hearing about the breach of their customer data. They have decided that to perform a GDPR deletion request I have to write a letter to their head office including ID. I have to give them more personal data to get my data deleted. They were happy for me to prove my identity with an email address when buying from them. It's legal for them to make me jump through these hoops but it's clearly done to make the process as painful as possible.

    1. IE84

      This is a standard requirement for organisations to validate an individual before carrying out certain requests under data protection regulation.

    2. Doctor Syntax Silver badge

      Ask them to tell you that in writing. Then copy their letter and your reply to the ICO.

    3. Andy The Hat Silver badge

      I had this with the one month Experian "free trial" account - only requires basic info to set up an account but had to perform thirteen yoga positions with personal data to stop the account from the same email address a few days later ...

  6. cb7

    They're still around? I thought they disappeared ages ago.

    1. Captain Scarlet Silver badge

      Yes but they are mostly known as Currys PC World, unless you are at an airport as there is one at Stansted.

      1. Avatar of They
        Thumb Up

        And Manchester

        Two if I remember correctly, 1 either side of the "spray you in the face with mace by orange faced ladies" duty free (no honest it is) shop.

  7. Anonymous Coward
    Anonymous Coward

    And have Dixons written to all of their affected customers ?

    I certainly haven't heard anything from them.

  8. Bertieboy

    Try never to use them now, I remember the fights I used to have with them when buying stuff when they insisted on me giving them a post code/house No. even with cash purchases. I always decline (similarly requests for email etc) and have walked out the shop on more than one occasion rather than submit to their rapacious data grabbing practices.

    1. james_smith Bronze badge

      I always use a false address in these kind of situations, combination of road and house number that don't exist. Likewise, for email addresses I have a "throwaway" domain that just bounces all emails.

    2. Doctor Syntax Silver badge

      Post code W3 6RS

      "House" number 1.

    3. Doctor Syntax Silver badge

      Alternative address - for any such tricks:

      Post code: SK9 5AF

      No number but a name: Wycliffe House

      1. Andy The Hat Silver badge

        Up until 2013 all TV sellers had to provide tv purchaser information to TVLicensing by law so they had to take and pass on those customer details. They don't have to do that any more.

    4. macjules Silver badge

      I still use SW1A 1AA, house # 1

    5. Phil Kingston

      If you fancy a giggle, try being an overseas resident with no UK address for 10 years and trying to buy a UK mobile plan whilst on a visit.

  9. Pascal Monett Silver badge

    "added extra security measures"

    Um, nope. A firewall is not an "extra" security measure, it is a basic security measure - and you didn't even have that. What you did was to finally add security measures. You cannot add extra when you didn't put anything in place to start with.

  10. 0laf Silver badge

    PCI fines

    Does the PCI council publish their fines?

    Surely Dixons would be under investigation for failing those obligations as well.

  11. Mr Dogshit

    We aren't capable of securing anything

    but we KNOWHOW to sell you a USB cable for £19.99

    1. Charlie Clark Silver badge

      Re: We aren't capable of securing anything

      Do you have an audio one of those?

      1. batfink Silver badge

        Re: We aren't capable of securing anything

        Is it Directional though?

        1. Charlie Clark Silver badge

          Re: We aren't capable of securing anything

          And gold-plated for better DC transmission?

          1. Mephistro Silver badge

            Re: We aren't capable of securing anything

            ...And oxygen free?

  12. IE84

    "We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”

    Always love seeing this line used by any company investigating a cyber attack or breach. Just because they have no evidence, doesn't mean it hasn't happened. The reality is that there is so much data already out in the wild, that information from multiple breaches are more likely to be combined. Therefore making it virtually impossible for any indvidual company to find "evidence" that their breach caused fraud or financial loss.

  13. Anonymous Coward
    Anonymous Coward

    Anyone know how to check?

    If my details were leaked by the Carphone Warehouse leak? I often get simple Sim contracts with them for the extra £10-£20 off when buying a phone, then swap it to pay as you go 1 year later. So they do have my basic details. :(

    1. 0laf Silver badge

      Re: Anyone know how to check?

      Something like the HaveIbeenpwnd.com database is probably about as much of a check as you can do easily.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020