Dixons Carphone’s review of data and its systems disclosed massive unauthorised access to 5.9 million customer cards and 1.2 million personal records. The incident gathers attention after both GDPR and Data Protection Act 2018 (‘DPA 2018’) came into force on 25 May 2018.
Hacking began July last year and gave access to some 105,000 non-EU payments cards without chip and pin protection. Fortunately for Dixons Carphone, the breach occurred before the GDPR came into force and so it faces a maximum fine of £500,000 under old legislation.
New data provisions under the GDPR impose tougher penalties on organisations for failures to protect their customers personal data, including a fine of up to €20M (£17.6) or 4% of the organisation’s global turnover. The provisions are incorporated into DPA 2018 to ensure national application when the UK exits the EU.
In view of these changes, National Cyber Security Centre has recently stated it is no longer the case where firms can just shut the door to cyber-attacks. Rather they should lock the doors and check them later. Employers and organisations should now take greater steps towards the security of their customers personal information.