The company behind Currys PC World and Carphone Warehouse identified a breach in 2018, originally estimating little over a million people had their personal data compromised.

But the Information’s Commissioner’s Office (ICO) investigation revealed a ‘point of sale’ computer system was compromised as a result of the cyber-attack, exposing the full names, postcodes and email addresses of at least 14 million people.

It found that an attacker installed malware on 5,390 tills at Currys PC World and Dixons Travel stores between July 2017 and April 2018. Personal data was being collected over this nine-month period.

The ICO said DSG Retail Limited (DSG) failed to take basic steps to secure the system which allowed unauthorised access to 5.6 million payment card details used in transactions and leaving millions of customers vulnerable to financial theft and identity fraud.

In total, the ICO received 158 complaints between June 2018 and November 2018 from customers. As of March 2019, DSG reported that nearly 3,300 customers had contacted them directly in relation to this data breach.

Dixons Carphone breached the Data Protection Act 1998 by having poor security arrangements and failing to take adequate steps to protect personal data. The ICO said this included the absence of a local firewall, lack of network segregation and routine security testing. As such, it has fined DSG the maximum £500,000 for its serious failings.

In January 2018, the ICO fined Carphone Warehouse £400,000 for similar security vulnerabilities.

“Careless loss of data”

Steve Eckersley, ICO’s director of investigations, said: “Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen.

“Such careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud.

“We recognise that cyber-attacks are becoming more frequent, but organisations have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data.”

Chief executive of Dixons Carphone, Alex Baldock, said: “We are very sorry for any inconvenience this historic incident caused to our customers.

“When we found the unauthorised access to data, we promptly launched an investigation, added extra security measures and contained the incident.

“We have no confirmed evidence of any customers suffering fraud or financial loss as a result.”

Baldock added that it disputes some of the ICO’s findings so it is considering grounds for appeal.