Companies that fail to protect themselves online no longer need to fear only the bad guys lurking in the hidden corners of the internet. Increasingly, they need to worry about the good guys as well.

The UK is one country leading this push to force companies to protect themselves and their customers, dishing out fines left and right to entities that mishandle user data or put customers at risk of ID theft and fraud. In the latest example, the UK Information Commissioner’s Office (ICO) has fined retailer DSG Retail Limited (DSG) £500,000 for a cyber-attack affecting at least 14 million customers.

As per the ICO’s announcement on Thursday, an attacker allegedly installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018. The attacker collected personal data for nine months before the attack was detected.

“The company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers,” the ICO said in its press release.

The hack was possible because DSG had failed to patch known bugs, had no firewall, lacked network segregation and had not conducted routine security checkups. These poor cybersecurity practices meant DSG breached the Data Protection Act 1998, under which the ICO can deal the maximum penalty of 500,000 pounds – which it did.

The ICO pointed out that Carphone Warehouse, also owned by DSG, was fined in January 2018 £400,000 for similar offenses.

“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data,” said Steve Eckersley, ICO’s Director of Investigations. “It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

The ICO cannot fine DSG under the newer regulation because the breach occurred before the GDPR took effect in May 2018.

The ICO says the breach significantly affects individuals’ privacy, leaving affected customers vulnerable to financial theft and identity fraud. The watchdog claims to have received 158 complaints between June 2018 and November 2018 from DSG customers. DSG itself admitted that around 3,300 customers had contacted them directly in relation to this data breach.

“Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud,” Eckersley added. “We recognise that cyber-attacks are becoming more frequent, but organisations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data.”

The ICO directs affected parties to the Monetary Penalty Notice for details of its investigation into the breach.