Just one month later, the Currys PC World/Dixons Travel hack would have cost them a heck of a lot more

Graham Cluley
Graham Cluley
@[email protected]

If the Currys PC World/Dixons Travel data breach had happened just one month later, it would have cost them a heck of a lot more

In the summer of 2018, British shoppers found out that hackers had planted malware onto 5,390 point-of-sale payment tills at the high street stores of Currys PC World and Dixons Travel, and stolen the personal data records of 1.2 million individuals, and 5.6 million payment card details.

An investigation uncovered that the data was stolen between 24 July 2017 and 25 April 2018, and determined a number of security failings on parent company DSG Retail’s part, in including:

  • The point-of-sale (POS) systems were not segregated from the wider Dixons corporate network. Network segmentation could have help contain the compromise to just a part of the network.
  • There was no local firewall configured on the POS terminals.
  • Inadequate software patching of DSG’s domain controllers and the systems used to administrate them.
  • A lack of regular scanning to identify vulnerabilities on the network.
  • Not all POS terminals were properly configured with application allow-listing to prevent unauthorised code from running.
  • A lack of logging and monitoring systems to identify incidents and respond in a timely fashion.
  • Some POS terminals were running out-of-date software. For instance, an eight-year-old version of Java.
  • DSG’s outdated POS system did not support Point to Point Encryption.

This week the Information Commissioner’s Office (ICO) announced that it was fining DSG Retail £500,000.

Sign up to our free newsletter.
Security news, advice, and tips.

What struck me, however, is that the fine could have been much MUCH worse for DSG Retail if the hack had gone unnoticed for just one more month.

You see, on May 25 2018 (just one month after the hack of the POS terminals was spotted) the EU’s GDPR legislation came into law. And if a firm is found to have violated GDPR they can be fined up to €20 million or up to 4% of their annual worldwide turnover, whichever is greater.

As it was the ICO hit DSG Retail with the highest fine it could under the pre-GDPR legislation, but as Steve Eckersley, the ICO’s Director of Investigations, explained the fine would have been considerably higher if the hack had taken place under the GDPR.

“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

You can hear more about what we had to say at the time about the Currys PC World/Dixons Travel data breach in this episode of the “Smashing Security” podcast, with technology journalist Geoff White:

Smashing Security #089: 'Data breaches, ransomware, Bitcoin robberies, and typewriters'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.