The UK Information Commissioner’s Office (ICO) fined DSG Retail Limited £500,000 following a malware attack that affected millions of the retailer’s customers.

As the result of an investigation, the ICO learned that the DSG Retail Limited had suffered a security incident in which an attacker installed malware on 5,390 tills at Currys PC World and Dixons Travel stores.

The malware collected customers’ information including their full names, email addresses and failed credit checks from internal servers between July 2017 and April 2018.

At the end of its investigation, the ICO determined that DSG Retail Limited had breached the Data Protection Act of 1998 by having not implemented proper security measures including software patching, network segmentation and routine security testing.

Steve Eckersley, ICO’s Director of Investigations, explained that these failures amounted to “a complete disregard for the customers whose personal information was stolen.”

Retailer fined £500,000 for failing to secure information of at least 14 million people: https://t.co/4TBVEivnw3 pic.twitter.com/t7qz3AayjR — ICO (@ICOnews) January 10, 2020

He therefore said it was necessary to impose the maximum monetary punishment under the Data Protection Act of 1998, noting that the fine would have been much higher under GDPR.

As Eckersley observed in a statement posted on the ICO’s website:

Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud. We recognize that cyber-attacks are becoming more frequent, but organizations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data.

Prior to this announcement, the ICO had received 158 complaints from customers between June 2018 and November 2018 in reference to the security incident described above. The non-departmental public body noted that more than 3,000 customers had also directly contacted DSG Retail Limited about the data breach as of March 2019.

This incident follows on the heels of the ICO having punished Carphone Warehouse, which is part of the same company group, with a fine of £400,000 for similar security vulnerabilities back in January 2018.