Security News > 2020 > January > Dixons fined £500,000 by ICO for crap security that exposed 5.6 million customers' payment cards
Dixons Retail is facing a £500,000 penalty from the Information Commissioner's Office after a hacker installed malware that infected thousands of point of sale tills and scooped up 5.6 million payment card details.
The ICO told us that in addition to the aforementioned personal financial data, Dixons had initially found that roughly 10 million non-financial records had also been pilfered from the retailer's internal servers and exfiltrated.
Dixons later discovered that another 2.9 million records had been snatched, along with 73 per cent of database housing 4.7 million records.
The ICO said the store had been unable to confirm with any certainty how many customers were impacted but estimated it affected around 14 million "Data subjects".
As a result, Dixons broke the Data Protection Act 1998 by running a "Poor security arrangement and failing to take adequate steps to protect personal data", including insufficient software patching, absence of a local firewall, a lack of network segregation and routine security testing, the ICO added.