Dixons Carphone data breach fine issued

Hacked Cybersecurity

The ICO (Information Commissioner’s Office) has issued a maximum Dixons Carphone data breach fine in the sum of £500,000.00.

As the breach period was prior to the introduction of the GDPR, they have escaped fines that could have hit hundreds of millions of pounds under the new rules. But the level of the fine that has been issued reflects the severity of this breach that resulted in the personal information for some 14 million people being compromised. It also led to the details for 5.6 million payment cards being exposed as well.

We’re representing victims for this breach and have been doing for a number of years since news of it broke a couple of years ago.

About the Dixons Carphone data breach fine

The ICO has levied the Dixons Carphone data breach fine at £500,000.00, which is the maximum allowed prior to the introduction of the GDPR.

They have heavily criticised DSG Retail Limited – the formal name of the company – over a number of failures that have been identified. These include poor security arrangements and a failure to protect data as a result of “vulnerabilities” and “inadequate software patching”, as well as them having no local firewall and no network segregation. They were also not routinely testing their security either.

This sustained cyberattack took place between July 2017 and April 2018. Had it have been extended by just a few more weeks, it could have been in the GDPR territory. If that were the case, the fine issued by the ICO could have been far more substantial. We have already seen the provisional levels set for BA at £183m and for Marriott set at £99m.

What the ICO has said

Speaking about the Dixons Carphone data breach fine, the ICO has been clear in how they feel about it.

Steve Eckersley, ICO Director of Investigations, said:

“Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.

The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”


According to several media reports, the company’s Chief Executive has spoken out against the Dixons Carphone data breach fine, and this may not be the end of the saga.

It’s understood that the company is said to be “disappointed” with some of the ICO’s finding. They may also appeal the decision in efforts to reduce the fine, as we cannot see that the fine would be eradicated completely. On the basis of the ICO’s current findings, this was a serious data breach event that lasted for a number of months and may well have been preventable. We usually find that, when those factors are evident, fines can be substantial.

We also cannot ignore the nature of the data that has been exposed, and the volumes of people affected. Payment card data being compromised can put people at an immediate risk of fraud, and around 14 million people subject to personal information exposure is colossal.

IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.

Request a Callback from our team!

Fill out our quick call back form below and we’ll contact you when you’re ready to talk to us.
All fields marked * are required.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy.
You have the right to object to the processing of your personal data.