The UK’s data watchdog, the Information Commissioner’s Office (ICO), has won an important Court of Appeal ruling against retailer DSG, keeping a £500,000 fine in place over a major cyberattack. The Information Commissioner’s Office (ICO) has won the Court of Appeal’s ruling against the Upper Tribunal's decision in DSG Retail Limited.
In January 2020, the United Kingdom’s data protection authority (DPA) issued a £500,000 fine to DSG Retail Limited after a cyberattack compromised its computer system. The breach affected the personal data of at least 14 million people.
The ICO researchers found out that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine months before the attack was detected.
The British DPA found out that the retailer failed to secure the system, allowing attackers to gain access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, zip codes, and email addresses, and failed credit checks from internal servers.
The ICO concluded that DSG Retail Limited had implemented poor security measures and failed to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.
DSG appealed the ICO’s ruling at the First-tier Tribunal (FTT) and Upper Tribunal (UT). In turn, the data protection authority appealed to the Court of Appeal in 2024 to seek clarification of an important point under the Data Protection Act 1998.
The Court of Appeal ruled in favor of the ICO, stating that DSG was required to take appropriate security measures to protect personal data from unauthorized access.
“We welcome the CoA’s confirmation that organizations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognizes that even if hackers can’t identify people individually from stolen datasets, cyberattacks can and do still cause real harm,” Binnie Goh, ICO General Counsel, said in a statement.
“With the rising threat of cybercrime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organizations: you have a protective duty to safeguard the personal data you hold,” she continued.
Now that the point of law has been clarified by the Court of Appeal, the case will return to the First-tier Tribunal at a later date to apply this interpretation to the facts of the DSG cyberattack.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked