ICO wins appeal over data protection obligations in Currys cyber attack

The UK Information Commissioner’s Office (ICO) has won an important appeal relating to data protection obligations arising from a 2017-18 cyber attack at electronics retailer Currys PC World. Currys Group Ltd was previously DSG Retail, that they fell victim to a major cyber attack during a nine-month period in 2017 and 2018. 

In January 2020, the ICO levied a £500,000 fine on DSG under the Data Protection Act (DPA) 1998 after its investigation found the retailer had failed to patch software systems, install firewalls, segregate its networks, conduct routine security testing, or protect personal data. The fine was lower than that mandated under GDPR because the breach took place before the legislation came into effect.