Security News > 2020 > January > Dixons Fined by UK Regulator Over Data Breach

The UK Data Protection Regulator has issued a monetary penalty of £500,000 against Dixon Carphone for what it describes as "Multiple, systemic and serious inadequacies" in the firm's security posture.
This allowed Dixons to argue that the PAN was not personal data, and that this aspect of the breach was consequently not subject to the personal data focus of the data protection laws.
Interestingly, Dixons had a security assessment before the breach.
While the ICO made it clear that compliance or non-compliance with PCI DSS is not indicative of compliance or non-compliance with the DPA, the office had earlier made it clear in guidelines that it would "Consider the extent to which you have put in place measures that PCI-DSS requires particularly if the breach related to a lack of particular control or process mandated by the standard." Dixons was clearly found wanting.
Dixons separately argued that the quantitively larger part of the breach should be treated leniently because there was no evidence of widespread distress caused.
News URL
Related news
- Hertz data breach: Customers in US, EU, UK, Australia and Canada affected (source)
- Data breach at Japanese telecom giant NTT hits 18,000 companies (source)
- PowerSchool previously hacked in August, months before data breach (source)
- Western Alliance Bank notifies 21,899 customers of data breach (source)
- Sperm donation giant California Cryobank warns of a data breach (source)
- Pennsylvania education union data breach hit 500,000 people (source)
- StreamElements discloses third-party data breach after hacker leaks data (source)
- UK fines software provider £3.07 million for 2022 ransomware breach (source)
- Texas State Bar warns of data breach after INC ransomware claims attack (source)
- Food giant WK Kellogg discloses data breach linked to Clop ransomware (source)