DSG Retail fined by ICO for poor security

DSG Retail Limited (DSG) has been fined £500,000 by the Information Commissioner’s Office (ICO) for a cyberattack that may have affected as many as 14 million people between July 2017 and April 2018.

Malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores is thought to have given cybercriminals unauthorised access to the details of 5.6 million payment cards used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks, from internal servers.

DSG was found to have breached the Data Protection Act 1998 by having poor security arrangements. The watchdog growled that:

  • The point-of-sale (POS) systems were not segregated from the wider Dixons corporate network.
  • Network segmentation could have help contain the compromise to just a part of the network.
  • There was no local firewall configured on the POS terminals.
  • Inadequate software patching of DSG’s domain controllers and the systems used to administrate them.
  • A lack of regular scanning to identify vulnerabilities on the network.
  • Not all POS terminals were properly configured with application whitelisting to prevent unauthorised code from running.
  • A lack of logging and monitoring systems to identify incidents and respond in a timely fashion.
  • Some POS terminals were running out-of-date software. For instance, an eight-year-old version of Java.
  • DSG’s outdated POS system did not support Point to Point Encryption.