As reported by The Register, the UK's data protection watchdog, the Information Commissioner's Office (ICO), has secured a significant legal victory against DSG Retail concerning a 2017 data breach that exposed millions of customer records.In 2020, the ICO fined DSG Retail the maximum £500,000 under the Data Protection Act 1998. The breach involved malware installed on 5,390 tills across Currys PC World and Dixons Travel stores, compromising 5.6 million payment card details and personal information of 14 million individuals. The core dispute centered on whether card numbers and expiry dates alone constituted personal data if attackers couldn't directly identify individuals. DSG argued it did not, but the Court of Appeal, per Lord Justice Warby, ruled that data must be assessed from the controller's perspective. If the data, even card numbers and expiry dates, could lead to identification by the controller or through "jigsaw identification" with other available data, it is considered personal data.This ruling clarifies that organizations have a legal duty to protect all personal data they process, regardless of whether a third party could immediately identify individuals from a compromised dataset. The case will now return to the first-tier tribunal for further review, with potential for appeals to higher courts.Source: The Register
Security Operations, Government Regulations, Data Security
UK court rules in favor of ICO in DSG Retail data breach case

(Adobe Stock Images)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



