The maximum fine was dished out this week by the ICO in the UK, to DSG Retail Ltd (aka Dixons Carphone), for a data breach which compromised internal network for 9 months and led to the loss of approximately 5 million credit card records and the personal data of approximately 14 million individuals.
The numbers are high, but not FaceBook high.
So what gets you the maximum fine possible under the UK Data Protection Act 1998 (as this incident pre-dates the GDPR)?
There is a certain irony in a large retail organisation that sells laptops and mobile phones, being called out on its staggeringly poor IT security.
How poor? Running Java that was 8 years out of date poor. As one example.
Running Java that is 8 hours out of date would make me nervous.
The monetary penalty notice is here in full detail, but I will summarise below on the key actions that need to be taken if you want to get the maximum possible fine under the GDPR.
Actions to take to get the maximum GDPR fine
- It helps if you don’t find the breach yourself. Blissful ignorance is key, along with having to be told by someone externally that you have been breached.
- It helps if you don’t segregate your network, so the attacker can roam around the entire network at will.
- Continue to hold domain passwords in Group Policy, when Microsoft told everyone to stop doing this four years earlier. It also helps if you only do precisely half of what Microsoft said needs to be done to fix the problem.
- Have no idea what has been taken because your logging and monitoring is so bad.
- Try arguing with the ICO that credit card data does not constitute personal data, and therefore doesn’t count.
- Commission a PCI-DSS security assessment report and when it comes back all red, don’t do anything to fix the issues raised.
- Don’t run a local firewall on your Point of Sale Terminals.
- Don’t check your IT estate for vulnerabilities on a regular basis and patch sporadically.
- Don’t whitelist applications on your POS Terminals.
- Run the oldest version of Java known to man.
- Sign up to an industry-standard like PCI-DSS and then don’t comply with it.
- Don’t use Point to Point Encryption.
- Don’t use standard builds.
- Argue with the ICO that you actually have really good IT security with the exception of a few gaps, and lament the exceptionally high security standards you are being measured to.
- Make sure you badly handle over 3,000 customer complaints relating the breach.
- Don’t take any action when a subsidiary (Carphone Warehouse) gets fined £400,000 for pretty much the same failings a few years earlier.
If you manage to achieve all of these actions, you can join the maximum fine club at the ICO. Current member of this elite club are:
- Dixons Carphone (DSG Retail Ltd)