cybersecurityRetail · 2020

DSG Retail Limited (Currys PC World)

DSG Retail Limited (Currys PC World) was fined the maximum penalty under the Data Protection Act 1998 following a cyberattack between July 2017 and April 2018 in which attackers installed malware on point-of-sale terminals across hundreds of UK stores, compromising the payment card data of an estimated 14 million customers. The ICO found DSG had inadequate patch management, no vulnerability scanning programme, and failed to detect the nine-month compromise through absence of basic security monitoring. The violations predated GDPR but the fine was the maximum available under the applicable DPA 1998 regime.

Fine Imposed€585,000.0

Authority

ICO-UK

Regulation

UK General Data Protection Regulation + Data Protection Act 2018

Max fineHigher tier: £17.5M or 4% of global annual turnover; standard tier: £8.75M or 2%

Statusactive

Key Takeaways

Point-of-sale security requires active patch management, network segmentation, and continuous monitoring — organisations handling payment card data across physical retail locations carry significant breach liability under any data protection regime.