ICO wins appeal over data protection obligations in Currys cyber attack

The Court of Appeal (CoA) has ruled in favour of the Information Commissioner’s Office in an appeal against a previous decision regarding the data protection responsibilities of businesses that arose after a 2018 cyber attack on DSG Retail – which now operates as Currys Group Ltd – the parent organisation of former UK electronics retail brands including Carphone Warehouse, Dixons and PC World.

DSG fell victim to a major cyber attack during a nine-month period in 2017 and 2018. The incident saw cyber criminals install malware on the firm’s point-of-sale (PoS) devices that was used to steal personal data including the credit and debit card details of millions of customers, and in a small number of cases their names, postcodes and contact details.

In January 2020 the ICO levied a £500,000 fine on DSG under the Data Protection Act of 1998 (DPA) after its investigation found the retailer had failed to patch software systems, install firewalls, segregate its networks, conduct routine security testing, or protect personal data. The fine was lower than that mandated under the General Data Protection Regulation (GDPR) because the breach took place before it came into effect.

In previous appeals to the First Tier Tribunal (FTT) and Upper Tribunal (UT), DSG argued that the seventh data protection principal (DPP7) of the DPA under which it was fined was not applicable to the incident.

It said that while the attackers did obtain full 16-digit card numbers, expiry dates and cardholder names in a limited number of cases, in most cases the cards were protected by electromagnetic verification (EMV) – chip-and-pin – so the attackers could only obtain the 16-digit card numbers and expiry dates, and no names.

As such, it said it did not need to take ‘appropriate technical and organisational measures’ (Atoms) to secure the EMV data because it was not ‘personal data’ in the hands of a third-party. It argued that the question over the applicability of DPP7 to said data needed to be considered from the point of view of the third-party – that is to say, the hackers.

The FTT initially dismissed this argument, but the UT supported it, prompting the ICO to seek permission to appeal last year. At the time, information commissioner John Edwards said the DPA was clear that organisations must put Atoms in place to protect personal data regardless of whether it was pseudonymised.

“We have seen many cases where people have been affected when malicious actors have accessed, deleted or encrypted pseudonymised personal data, for example when medical or financial data is compromised,” he said.

Today’s decision, handed down by Lord Justice Warby, supports Edwards’ view, concluding that when an individual to whom data relates may is identifiable to a data controller, the data controller must safeguard that data against unauthorised or unlawful processing whether or not the person processing it can use it to identify the individual.

The ICO welcomed the CoA ruling, saying it clarified an important point of data protection law in reinstating a clear interpretation of the legal responsibilities of organisations to keep personal data safe.

“I have concluded that the UT’s reasons for adopting a narrow interpretation of the statutory wording, though careful and thorough, are not in the end compelling,” wrote Warby in his judgement.

“They lead to some surprising conclusions. In my judgment, a broader construction is more consistent with the language of the statute and its parent Directive, the identifiable purposes of the data protection legislation, and with the few decided cases that have any significant bearing on this issue. I would therefore allow the appeal.”

“Today’s judgment is a significant victory, bringing much-needed clarity for people affected by cyber attacks as well as industry,” said ICO general counsel Binnie Goh.

“We welcome the CoA’s confirmation that organisations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognises that even if hackers can’t identify people individually from stolen datasets, cyber attacks can and do still cause real harm.

“With the rising threat of cyber crime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organisations: you have a protective duty to safeguard the personal data you hold,” said Goh.

Computer Weekly has contacted Currys Group Ltd for a response, and this article will be updated should one be received.

The case will return to the FTT at a later data to reapply the CoA’s new interpretation to the facts of the DSG incident.