In early June, Dixons Carphone British retail giant announced that they had suffered a major data breach with the possibility to affect millions of customers. The initial breach was reported to have contained the credit card details of some 5.9 million customers, a second breach is said to have contained the personal records of 1.2 million customers.
Of the 5.9 million details stolen it is reported that 5.8 million were encrypted with chip and pin.
Although there has been no official indication of how the breaches occurred, it is stated that they took place in 2017 and the organisation has since investigated and resolved the issue leading to the breaches.
“As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company. We promptly launched an investigation, engaged leading cyber security experts and added extra security measures to our systems. We have taken action to close off this access and have no evidence it is continuing. We have no evidence to date of any fraudulent use of the data as result of these incidents. We have also informed the relevant authorities including the ICO, FCA and the police”
Following the announcement of the breach the organisations share price dropped by more than 3%, they will likely see a fine for the breach in addition to this. In 2015 Carphone Warehouse experienced a similar breach in which 90,000 customer credit card details were stolen. The firm was fined £400,000 by the Information Commissioner’s Office (ICO) for this incident, the highest possible fine at the time was £500,000.
After the most recent breach a representative from the National Cyber Security Centre said they are:
“Working with Dixons Carphone and other agencies to understand how this data breach has affected people in the UK and advise on mitigation measures.”
The current trend of data breaches
Data breaches are regular news, numbers of them are on the rise or in the very least numbers of breaches being reported are. This trend is set to continue with the GDPR now in full effect.
Among the most recent breaches to be announced, and investigated, is the breach that effected Ticketmaster. The company states that ‘personal or payment information may have been accessed by an unknown third party’, the breach is thought to have affected customers who purchased tickets from the site between February 2018 and June 23rd, 2018, approximately 40,000 people. The organisations have contacted all those affected by email and recommended they reset passwords, in addition, they have also contacted those who made purchases between September 2017 and June 23rd, 2018.
The ICO investigates
The Information Commissioner’s Office is the regulatory authority for the United Kingdom. It is their responsibility to enforce data protection laws ‘uphold information rights in the public interest’ and ‘promote openness by public bodies and data privacy for individuals’. The ICO is responsible for regulating organisations and individuals in line with the GDPR and will investigate all data breaches once they have been reported.
The ICO will investigate both the Dixons and Ticketmaster breaches. The likely outcomes could include an undertaking, an enforcement or a monetary fine. Fines will be directly related to the size of the breach, how it occurred and the seriousness of the loss and how it may affect individuals. Since January ’18 the ICO has handed out over £3.5 million in monetary penalties.
Under the GDPR the ICO now has the ability to fine an organisation up to £17 million or 4% of global turnover for the most serious breaches. In 2016 Dixons revenue was £10.5 billion, 4% of this would be £423,200,000.
5 points to know about the GDPR
What is it?
The General Data Protection Regulation is European law that sets out how data should be protected and the consequences of a breach. The main aims of the GDPR are to strengthen data protection and to protect the rights of individuals (data subjects).
Monetary fines for non-compliance
Under the Data Protection Act in the UK, the ICO could fine an organisation up to £500,000 for a serious data breach. Under the GDPR the maximum fine is £17,000,00 or 4% of global turnover, whichever is higher.
Definitions of a data breach and of personal data
The GDPR sets out updated definitions in Article 4. A data breach and personal data are two of the most important and can be defined as:
Personal data is ‘Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
A data breach is ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’
Reporting a breach
Data breaches must be reported to the relevant authority within 72-hours of discovery. A breach report must include as much detail as is known including how the breach occurred, how big it is and the possible implications. Failure to report a breach in 72-hours can lead to a fine of up to £8.5 million or 2% of global revenue, in addition to the fine for the breach.
The regulatory authority is responsible for ensuring the GDPR is complied with. In the UK this is the Information Commissioner’s Office (ICO).