ICO seeking permission to appeal Tribunal’s decision on DSG Retail Limited regarding data breach
The Information Commissioner’s Office (ICO) isn’t happy with the judgment that was casted by the First-tier Tribunal, which gave DSG Retail Limited a reduction of £250,000 for a data breach infringement.
Back in January 2020, the ICO imposed a fine of £500,000 on DSG Retail Limited after it suffered a massive cyberattack, causing millions of victims to be vulnerable to financial theft and identity fraud.
Investigation showed that an attacker installed malicious software on 5,390 cash registers at DSG’s Currys PC World and Dixons Travel Stores between July 2017 and April 2018.
For nine months the threat actor had access to 5.6 million payment card details and personally identifiable information of approximately 14 million people, including full names, postal codes, email addresses, and failed credit checks from internal servers.
According to the ICO, DSG Retail Limited failed to take adequate steps to safeguard sensitive information. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.
DSG appealed the ICO’s decision to the First-tier Tribunal (FTT). In its ruling in July 2022, the FTT substituted the original amount with a £250,000 fine. DSG was subsequently granted permission to appeal the FTT’s decision to the Upper Tribunal.
In its 2024 ruling, the Upper Tribunal allowed DSG’s appeal and remitted the case to the FTT to be re-decided. The ICO however feels that the Tribunal interpreted the law incorrectly, suggesting that an organization is not required to take safeguards against unauthorized access or unlawful processing of data by a third party.
“This is a core concept of data protection law, and we are seeking clarification so there’s certainty for organizations and people’s information is better protected,” Information Commissioner John Edwards says in a statement.
He argues that we’ve seen many cases where people have been affected when malicious actors have accessed, deleted or encrypted pseudonymized personal data.
“Similar security requirements apply in the current data protection regime, so it’s crucial that we seek clarification on this important issue from the courts,” Edwards adds.
The ICO is now awaiting the Upper Tribunal’s decision.
Your email address will not be published. Required fields are marked