Dixons Carphone Warehouse get maximum ICO fine and potential PCI Fines
So DSG or colloquially Dixons Carphone Warehouse has managed to avoid a hefty fine from the Information Commissioner. Apparently, the assessment was against the old Data Protection Act 1998 rather than the more punitive GDPR. Much of the issue was related to PCI DSS failings, which could lead to PCI Fines too.
The fine levied was the highest possible under the old regime of £500,000.
This was against a potential fine that could have been as much as 4% of global turnover which for 2016/2017 was £10,580 million. 4% of that figure is a whopping £423 million.
Its more likely the fine could have been 2% for other types of breach in this case. This would still have been over £200 million.
So, the company’s choice not to invest sufficiently in IT Security seems to have paid off, in fact, the decision makers might just have saved the company several million.
Who says indecision and incompetence doesn’t pay?
What about the PCI fines?
This incident affected 5,529,349 payment cards in total. Interestingly the ICO recognises PAN as personal data.
So, whilst the Data Protection fines levied by the ICO are front page news. What about the PCI DSS fines?
DSG are members of the PCI DSS Security Standards Council and you would think that comes with some degree of responsibility, and even more amazing is that:
“Organizations that are listed on this site are not necessarily PCI DSS compliant.”
Source: PCI DSS Security Standards Council.
It’s tricky to find certain information such as the total number of card transactions and therefore the merchant level but we can assume that DSG is a level 1 merchant and therefore require a QSA to audit them. The ICO report reinforces this stating that the PCI Assessment performed in May 2017, one finding in relation to the POS terminals was that they were:
“susceptible to critical vulnerabilities that would allow an adversary operating on the internet to compromise the confidentiality integrity and availability of these devices completely…..The integrity of these devices should not be relied upon… may not be compliant the requirements of the PCI DSS as relating to store networks and POS terminals”
What isn’t so easy to find is whether DSG were granted an annual renewal certificate or not.
The security assessment conducted as part of the investigation made a number of other IT Security discoveries, including the following:
- No segregation of the POS network away from the DSG corporate network
- The POS terminal had no local firewall
- The patching of the POS terminals was not up to date
- No regular vulnerability scanning performed
- Application whitelisting was not evident on some devices
- Incident logging and monitoring was ineffective
- Some elements of the POS software were out of date
- Ineffective management of Domain administrator accounts
- No use of Standard builds
What is scandalous is that with the findings above DSG should not have had a valid PCI assessment and certificate.
Unfortunately, GDPR Auditing has been unable to locate any details of DSG’s PCI DSS certification or any fines levied by the card schemes.
Potential PCI Fine
Assuming they take the same approach as the ICO then we can assume the calculations below:
When you compromise 5,529,349 card payments, the PCI DSS fines could also be quite large.
Let’s assume 90% of the 5,529,349 card transactions were unique cards.
Using those figures to illustrate the example:
Cards compromised = 4,976,414
Fines per card for PAN and CVV = €18
4,976,414 * €18 = €89,575,453 plus the cost of the investigation and a €3000 case fee.
GBP £76 million give or take a little loose change.
Even more worrying is that is wasn’t as if DSG were not aware of the risks. 2017 annual report highlighted the follow:
- Dependence on networks
- IT Systems and Infrastructure
- Information Security
Data protection or security where not included in 2017/2018 plans, unsurprisingly and in every area the top KPI was headline revenue with no KPI’s relevant to data protection or security.
So where is all this leading
Yet again a multi-million pound business fails to protect the very people who keep it in business and whilst those of us that have worked at the coal face securing systems and keeping them up to date are well aware that things take time, it does not explain how such a large list of IT Security deficiencies could have been present, and the ICO states this in their report.
How can GDPR Auditing Help
More often we see GDPR and PCI DSS being used in the same breath. And whilst PCI DSS is not perfectly aligned to the GDPR security principles the ICO says this:
“Although compliance with the PCI-DSS is not necessarily equivalent to compliance with the GDPR’s security principle, if you process card data and suffer a personal data breach, the ICO will consider the extent to which you have put in place measures that PCI-DSS requires particular if the breach related to a lack of particular controls of processes mandated by the standard.”
PCI DSS Does, however, contain much of the good practice you should be looking for when complying with GDPR.
GDPR Auditing are GDPR and PCI DSS specialists and can help you comply with both regulations by combining the requirements and preventing duplication of effort.
The information provided in this post is for general information only and is not intended to provide legal advice.
© GDPR Auditing 2020.