Will Dixons Carphone be first company hit with GDPR fine?

Organisations across the world scrambled to ensure their privacy and data protocols were compliant with the GDPR’s introduction last month, but how stringently will regulators enforce the regulation?

News that a massive data breach has hit Dixons Carphone may have peaked business leaders’ interest, with the company admitting criminals targeted 5.9 million customer bank cards and 1.2 million personal data records. Will we finally see the wrath of GDPR regulators in action?

Probably not. The Dixons breach apparently occurred some time in the last year, making it a pre-GDPR era event. As such, the organisation is likely to escape a fine under the regulation, which would have seen the firm pay up to four per cent of revenue or €20 million (£17.6 million), whichever was higher.

Dixons Carphone posted full-year revenues of £10.5 billion in June 2017, so a GDPR penalty could have reached a whopping £420 million – a sizeable chunk of the retailer’s £501 million profit for the 12-month period.

What will happen to Dixons Carphone next?

Dixons Carphone may not have to pay a GDPR fine, but the UK Information Commissioner’s Office (ICO) will take a dim view of the latest breach for several reasons:

  • The company seems to have known about the incident for some time;
  • Customer bank cards were compromised; and
  • Carphone Warehouse has already been fined £400,000 this year for a 2015 cyber attack.

The Carphone Warehouse breach saw the personal details of three million customers and 1,000 employees accessed, including names, addresses, phone numbers, marital statuses and dates of birth. Approximately 18,000 people had historical card payments exposed.

Dixons Carphone owns Carphone Warehouse following a £3.8 billion merger in 2014.

When announcing the £400,000 penalty in January, information commissioner Elizabeth Denham said companies like Carphone Warehouse should have the resources to ensure their systems are robust.

“Carphone Warehouse should be at the top of its game when it comes to cyber security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures,” she explained.

The ICO is therefore likely to inflict a substantial penalty if the authority feels lessons haven’t been learned from the previous incident. Nevertheless, the maximum fine available to the ICO is £500,000 under previous data protection rules.

ICO investigating the latest breach

For now, the ICO remains tight-lipped about its course of action. On Wednesday (June 13th), the office said it is liaising with the National Cyber Security Centre, The Financial Conduct Authority and other agencies to learn more about the breach.

“It is early in the investigation. We will look at when the incident happened and when it was discovered as part of our work, and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts,” a spokesperson said.

One factor working in Dixons Carphone’s favour is that the vast majority of compromised card details have chip-and-pin protection. This means any information accessed will not contain PINs or card verification values (the three-digit code on the back of the card).

While criminals also accessed approximately 105,000 non-European cards without chip-and-pin, Dixons Carphone claims there is no evidence that fraud has occurred as a result.

“We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected,” said chief executive Alex Baldock.

Preparing for a GDPR future

Dixons Carphone may dodge a multi-million-pound fine this time, but businesses will no doubt keep a keen eye on developments to gauge how regulators may deal with GDPR failings.

The incident could also encourage more organisations to ensure their GDPR compliance procedures are up to scratch, particularly if the ICO and other authorities take a no-nonsense approach to recent breaches.

Businesses will require the best cyber security professionals to maintain an adequate defence against increasingly sophisticated attacks. If you need to discuss your security and resilience needs with a specialist recruiter, please contact me on 020 7936 2601 or via email at am@barclaysimpson.com.