The Information Commissioner’s Office said hackers had installed malware on 5,390 tills at Currys PC World and Dixons Travel stores. They were able to access 5.6 million payment cards and collect sensitive personal information of about 14 million people, including their full names, postcodes, email addresses and failed credit checks.
The systems were first compromised in July 2017 but the breach was not detected until nine months later.
The ICO said DSG Retail Limited (DSG) failed to take basic steps to secure the system which allowed unauthorised access to 5.6 million payment card details used in transactions and leaving millions of customers vulnerable to financial theft and identity fraud.
Dixons Carphone breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data. The ICO said this included the absence of a local firewall, lack of network segregation and routine security testing. As such, it has fined DSG the maximum £500,000 for its serious failings.