Last week Dixons Carphone became the first major big-name brand to suffer a data breach since the General Data Protection Regulations (GDPR) came into force. Many commentators and experts are now looking at how it is dealt with under the new, shiny regulations.
At the time Carphone revealed that there had been an unathorised access to certain data held by the company with an attempt to compromise 5.9 million credit cards in the processing systems of Curry’s PC World and Dixons Travel Stores.
While 5.8 million of the affected cards were protected by chip and pin, Carphone did admit that 105,000 non-EU issued payment cards had been compromised. It also revealed that 1.2 million records containing non-financial data, such as names and addresses had been stolen.
Carphone assured people that there was no evidence that the data had left their systems or had resulted in any fraud.
So, the question among the cybersecurity community is how Carphone will be dealt with in the new GDPR world and the possible financial penalties they could incur.
As the first major data breach to hit headlines since GDPR was enforced last month, there will be many companies keeping a watchful eye over how this is handled.
Under these new regulations, companies can be fined up to 4% of their annual turnover if they fail to protect their data, however, with this breach taking place pre-GDPR, it’ll be interesting to see what approach the ICO takes.- Ross Brewer: VP and MD EMEA, LogRhythm
Carphone contacted the Information Commissioner’s Office (ICO) immediately after the breach was revealed. And now, it seems, how the investigation proceeds will be down to the ICO. Either they can instigate an investigation under GDPR or under existing telecom regulatory laws.
If they pursue this through GDPR then it could be a lengthy investigation as it will need to liaise with other regulators since individuals outside the UK were also affected.
The ICO will also need to be asking a series of tough questions of Carphone and will expect prompt answers, especially as firms such as Dixons are subject to additional reporting obligations.
When it comes to the size of the fine, the ICO will look at Carphone’s previous track record and how easily the breach occurred. If it was a known vulnerability, then the fine is likely to be higher.
The setting of fines under the GDPR is a complex system and both the ICO and Dixons Carphone will be looking at any mitigating factors amongst the details of the incident.