UK Fines Dixons Carphone for Massive BreachRetailer's Missteps Led to 'Careless Loss of Data,' Privacy Watchdog Says
British regulators have fined Dixons Carphone, a large electronics and phone retailer, £500,000 ($653,000) for a breach that exposed millions of payment card details and personal data due to point-of-sale malware.
Dixons violated the U.K.'s Data Protection Act 1988 "by having poor security arrangements and failing to take adequate steps to protect personal data," according to the Information Commissioner's Office.
"This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing," the ICO says.
Dixons Carphone, also known as DSG Retail, has stores in eight countries and Hong Kong and manages such brands as PC World, Currys and Carphone Warehouse.
This is the second time in two years Dixons Carphone has been fined. In January 2018, the ICO fined it £400,000 ($523,000) for a 2015 breach of its Carphone Warehouse subsidiary after an attacker exploited an outdated WordPress installation (see: Carphone Warehouse Breach: 'Striking' Failures Trigger Fine).
Latest Breach Occurred Before GDPR Enforcement
Dixons Carphone avoided a potentially much larger fine under the EU's strict General Data Protection Regulation privacy law. Under GDPR, organizations can face fines of up to 4 percent of annual global revenue or €20 million ($22 million), whichever is greater.
GDPR was in place in July 2017 when the Dixon Carphone's breach began, and it persisted until April 2018, when the retailer found and disclosed the breach. But because the breach occurred before the EU began enforcing GDPR in May 2018, regulators applied the previous data protection law, which allows for a maximum fine of £500,000, which they selected.
"The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR," says Steve Eckersley, the ICO's director of investigations. "Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen."
'Careless Loss of Data'
The ICO's investigation found that attackers installed malware in 5,390 electronic cash registers across the company's stores. The malware collected the details of 5.6 million payment cards.
Personal information for 14 million individuals was also intercepted by the malware. Exposed data included full names, postcodes, email addresses and failed credit checks from internal services, the ICO says.
"Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud," Eckersley says. "We recognize that cyberattacks are becoming more frequent, but organizations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people's personal data."
"We recognize that cyber-attacks are becoming more frequent, but organizations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people's personal data."
— Steve Eckersley, ICO director of investigations
Most of the cards affected by Dixon Carphone's breach were EMV cards with an embedded microchip that provides stronger verification that a transaction is legitimate. Although the card's details can be cloned and copied to a dummy card, a transaction performed without the chip should be rejected. Attackers, however, also stole primary account numbers and expiration dates, which could potentially be used for e-commerce fraud and other types of attacks.
Some 52,788 non-EMV cards from outside the U.K. and EU were stolen, including the primary account number and expiration dates. For 8,628 cards, the cardholder name was also stolen, the ICO says in its monetary penalty notice.
After the incident, Dixons Carphone argued to the ICO that because most of the stolen card details did not include the cardholder's name, it did not constitute personal data. The ICO rejected that argument, however, maintaining that a primary account number is personal data.
No Network Segregation, Poor Patching
ICO's 30-page penalty notice describes a slew of security failures that led to the fine.
The ICO found fault with numerous aspects of how Dixons Carphone had structured its network. An outside security consultancy performed the evaluation in May 2017.
Dixons Carphone used Microsoft operating systems for its POS systems. But the company's "network segregation was insufficient," despite guidance from Microsoft to separate POS systems from other systems, the ICO reports.
Also, Dixon failed at patching, including its POS terminals and other software, the ICO says, which led to attackers gaining domain-level access.
Investigators believe that attackers exploited an unpatched vulnerability in Microsoft's group policy tool, which is part of Active Directory. In 2014, Microsoft issued a patch that fixed this particular vulnerability. Microsoft also advised that administrators should remove old group policies - which may have included passwords - before applying the patch, the ICO writes.
Dixons Carphone "confirmed that it did not carry out the second action to remove the existing group policy until after the attack, in 2018," the ICO writes in its penalty notice. "This meant that the vulnerability remained exploitable for four years, during which time the attack was able to use extensively the account in order to compromised personal data held on the POS terminals."
The company also failed to undertake regular vulnerability scanning, managed incorrectly application whitelisting across POS terminals and did not have effective logging and monitoring in place, the ICO says.
Despite major attacks in 2013 and 2014 against Target, Home Depot and others publicizing the risk posed by POS malware, retailers continue to fall victim. Just this month, Houston-based Landry, which runs hotels and casinos around the world, said it was investigating a payment card breach tied to POS malware for the second time in four years (see: Restaurant Chain Landry's Investigates Malware Incident).