Dixons Retail is facing a £500,000 penalty from the Information Commissioner’s Office (ICO) after a hacker installed malware that infected thousands of point of sale tills and scooped up 5.6 million payment card details.

A probe by the UK’s data watchdog said the computer system managing the till was compromised, impacting 5,390 machines at Curries PC World and Dixons Travel stores between July 2017 and April 2018 when the attack was finally spotted.

As a result, a total of 5,646,417 cards were exposed, including 5,529,349 chip and PIN cards that showed the primary account number and expiry date, and 52,788, non EMV protected cards likely from shoppers outside of the UK and EU that revealed the primary amount number, expiry date and cardholder name.

The ICO told us that in addition to the aforementioned personal financial data, Dixons had initially found that roughly 10 million non-financial records had also been pilfered (name, postal address, mobile and home phone numbers, email address, date of birth and failed credit check details) from the retailer’s internal servers and exfiltrated.

Dixons later discovered that another 2.9 million records had been snatched, along with 73 per cent of database housing 4.7 million records. The ICO said the store had been unable to confirm with any certainty how many customers were impacted but estimated it affected around 14 million “data subjects”.

As a result, Dixons broke the Data Protection Act 1998 by running a “poor security arrangement and failing to take adequate steps to protect personal data”, including insufficient software patching, absence of a local firewall, a lack of network segregation and routine security testing, the ICO added.

“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data,” said ICO director of investigations Steve Eckersley. “It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.”

The fine is the maximum the ICO could levy under the previous data laws but had it occured following the roll-out of GDPR legislation Dixons may have found itself slapped with a bigger fine, he added.

As of March 2019, some 3,300 customers had contacted the company about the security screw-up. “Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” said Eckersley.

Dixons’ CEO Alex Baldock, said in a statement to the London Stock Exchange:

“We are very sorry for any inconvenience this historic incident caused to our customers. When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident. We duly notified regulators and the police and communicated with all our customers. We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”

In light of the incident, Dixons upgraded its detection and response systems, he said. Baldock added that the company is “disappointed” in some of the ICO’s “key findings” it had previously challenged and “continue to dispute”. He didn’t specify particular areas but is “considering our ground for appeal”.

The ICO fined Carphone Warehouse some £400,000 in January 2018 for “similar security vulnerabilities”. The breach at the mobile retailer - now part of Dixons Store Group - happened in August 2015. ®