Just one month later, the Currys PC World/Dixons Travel hack would have cost them a heck of a lot more

Graham Cluley @gcluley

If the Currys PC World/Dixons Travel data breach had happened just one month later, it would have cost them a heck of a lot more

In the summer of 2018, British shoppers found out that hackers had planted malware onto 5,390 point-of-sale payment tills at the high street stores of Currys PC World and Dixons Travel, and stolen the personal data records of 1.2 million individuals, and 5.6 million payment card details.

An investigation uncovered that the data was stolen between 24 July 2017 and 25 April 2018, and determined a number of security failings on parent company DSG Retail’s part, in including:

  • The point-of-sale (POS) systems were not segregated from the wider Dixons corporate network. Network segmentation could have help contain the compromise to just a part of the network.
  • There was no local firewall configured on the POS terminals.
  • Inadequate software patching of DSG’s domain controllers and the systems used to administrate them.
  • A lack of regular scanning to identify vulnerabilities on the network.
  • Not all POS terminals were properly configured with application allow-listing to prevent unauthorised code from running.
  • A lack of logging and monitoring systems to identify incidents and respond in a timely fashion.
  • Some POS terminals were running out-of-date software. For instance, an eight-year-old version of Java.
  • DSG’s outdated POS system did not support Point to Point Encryption.

This week the Information Commissioner’s Office (ICO) announced that it was fining DSG Retail £500,000.

What struck me, however, is that the fine could have been much MUCH worse for DSG Retail if the hack had gone unnoticed for just one more month.

You see, on May 25 2018 (just one month after the hack of the POS terminals was spotted) the EU’s GDPR legislation came into law. And if a firm is found to have violated GDPR they can be fined up to €20 million or up to 4% of their annual worldwide turnover, whichever is greater.

As it was the ICO hit DSG Retail with the highest fine it could under the pre-GDPR legislation, but as Steve Eckersley, the ICO’s Director of Investigations, explained the fine would have been considerably higher if the hack had taken place under the GDPR.

“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

You can hear more about what we had to say at the time about the Currys PC World/Dixons Travel data breach in this episode of the “Smashing Security” podcast, with technology journalist Geoff White:

Smashing Security #89: 'Data breaches, ransomware, Bitcoin robberies, and typewriters'

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.