The UK Data Protection Regulator (the Information Commissioner’s Office – ICO) has issued a monetary penalty of £500,000 ($654,000) against Dixon Carphone for what it describes as “multiple, systemic and serious inadequacies” in the firm’s security posture.
Dixons’ systems were compromised for a period of eight months between July 24, 2017 and April 25, 2018. This was just one month before GDPR came into effect on May 25, 2018, and one month before the UK’s Data Protection Act 2018 (the UK’s version of GDPR) gained royal assent on May 23, 2018. The £500,000 penalty is the maximum allowed under the UK’s earlier DPA 1998; and the ICO made it clear it would have been considerably higher under GDPR (perhaps more in line with the ICO’s GDPR penalties of $230 million on British Airways and $124 million on Marriott Hotels).
The breach, which was notified to Dixons by external sources, involved malware running on 5,390 point of sale terminals, involving 5,646,417 payment cards, of which all but 52,788 were EMV chip protected cards. This was not a Magecart skimming style attack. It succeeded because Dixons had not installed P2P encryption. Because of this, only the primary account number (PAN) and expiry date was captured.
This allowed Dixons to argue that the PAN was not personal data (that is, that the person was effectively anonymized), and that this aspect of the breach was consequently not subject to the personal data focus of the data protection laws. The argument was roundly rejected by the information commissioner who quite simply holds that PAN numbers are personal information.
Interestingly, Dixons had a security assessment before the breach. The ICO report does not state categorically — but certainly implies — that this was part of, or similar to, a PCI DSS audit. That audit concluded, “The integrity of [the POS devices] should not be relied upon… may not be compliant with the requirements of the PCI DSS as relating to store networks and POS terminals.”
While the ICO made it clear that compliance or non-compliance with PCI DSS is not indicative of compliance or non-compliance with the DPA, the office had earlier made it clear in guidelines that it would “consider the extent to which you have put in place measures that PCI-DSS requires particularly if the breach related to a lack of particular control or process mandated by the standard.” Dixons was clearly found wanting.
Dixons separately argued that the quantitively larger part of the breach should be treated leniently because there was no evidence of widespread distress caused. This was the exfiltration of personal data from an estimated 14 million data subjects. The data included names, postal addresses, mobile and home phone numbers, email addresses, date of birth and failed credit check details — more than enough to launch identity theft attacks.
The ICO contests the view that little distress was caused to the victims, but also concludes the argument is irrelevant. The information commissioner, states the penalty notice (PDF), “remains mindful that DPP7 and the statutory conditions under section 55A [of the DPA 1998] are concerned with measures and the kind of contravention, rather than with any actual data breach.” This is an important point that applies equally to the DPA 2018 and GDPR — companies do not have to suffer a breach to be in non-compliance with the law and subject to financial penalties.
As it happens, Dixons both suffered the breach, and was in contravention of the requirements of the law in several areas. These included, no network segmentation (considered by the ICO to be an appropriate security mechanism); no local firewall on the POS devices; ‘systemic patch management failing’; irregular vulnerability scanning; inconsistency in the enforcement of application whitelisting; no effective logging and monitoring system; use of outdated software (8 years-old Java) on the POS terminals; no P2P encryption on the POS; poor administrator account management; and a failure to implement standard builds for all system components.
Dixons argued that having the ICO’s concerns in place would not necessarily have prevented the ‘sophisticated’ attack. The ICO responded that each of the inadequacies “would have constituted a contravention of DPP7 in the circumstances of this particular case:” and that “the Commissioner’s preliminary view is that there was plainly a multi-faceted contravention of DDP7 in this case.”
There are three primary takeaways from this penalty notice. The first is that the days of a gentle slap on the wrist for privacy failings are gone. While £500,000 is relatively low today, it is nevertheless the maximum allowed under the law in question. If the Dixon breach had not been closed for just another month, then the penalty would most likely have been nearer to nine figures than six.
Secondly, PAN numbers without the user’s name or CVV number are still considered to be personal data under the law.
Thirdly, a breach isn’t necessary for a company to be liable to the requirements of the law.
Dixons has the right to appeal the penalty within 28 days of its date (or it could pay the penalty before 6 February 2020 and receive a 20% reduction to £400,000). In a statement issued 9 January 2020, Dixons said, “We are disappointed in some of the ICO’s key findings which we have previously challenged and continue to dispute. We’re studying their conclusions in detail and considering our grounds for appeal.”
Related: The GDPR Opportunity
Related: GDPR: One Year Down…Now What?