Law firm to launch group action following ICO Dixons fine

Data protection specialist Hayes Connor Solicitors will be launching a group action against Dixons Carphone Warehouse after the ICO (Information Commissioner’s Office) announced a £500,000 fine last week following the group’s significant data breach in 2018.

The retailer, which owns Currys PC World and Dixons Travel stores, admitted in 2018 that an undetected cyber-attack took place over a nine-month period between July 2017 and April 2018 exposing the card details of 5.6 million customers, and the personal details of 14 million individuals.

Kingsley Hayes, managing director at Widnes-based data breach and cybersecurity specialist Hayes Connor Solicitors, said: “The ICO’s decision has been long-awaited and is the maximum fine that can be imposed on breaches that occurred before GDPR came into force.

“We submitted a disclosure request to Dixons in 2018 but it refused to answer until after the ICO’s decision.

“We have now recommenced that process and expect that in the coming months a group action will be launched.

“The data breach has exposed millions of its customers to potential identity fraud which could include fake bank accounts being opened in their name, fake credit applications and access to existing bank accounts.

“The ICO’s investigation found Dixons responsible for multiple failings, including having inadequate software patches to prevent the cyber-attack, the absence of a local firewall and a lack of network segregation and routine system tests.

“As a result of its inadequate cybersecurity, millions of Dixons’ customers will have suffered, or are at a risk of, significant financial losses. The psychological stress following such a breach cannot be underestimated with clients often reporting anxiety and depression following a breach of their personal data and this can have an impact on every aspect of a victim’s life.”

The ICO investigation into the Dixons Carphone Warehouse data breach found that the cyber-attack comprised malicious software installed on 5,390 tills in branches of Currys PC World and Dixons Travel stores.

Mr Hayes added: “Dixons has been extremely lucky that this cybersecurity wake up call took place prior to GDPR with the breach taking place over a nine month period up to just one month prior to GDPR coming into force.

“With an annual turnover of billions, the penalties, had the incident continued after 25th May 2018, would have proved extremely damaging. With the high street already facing significant challenges, businesses in the retail sector should heed the warning and ensure that watertight cybersecurity is in place before consumer confidence is further eroded.”

Hayes Connor has instructed Louis Browne QC and Ian Whitehurst of Exchange Chambers in Liverpool to assist with the group action.

Hayes Connor Solicitors was the first firm to serve a representative data breach claim in the High Court following the Court of Appeal’s ground-breaking ruling on October 2, 2019.

The ruling stated that law firms could bring representative action on behalf of just one individual to potentially win damages for the entire affected population. The action against Equifax has a total estimated value of £100m.

Hayes Connor is the data protection advisor to the Communication Workers Union and is currently acting for thousands of claimants with data breach action against Ticketmaster, Equifax, Marriott International, TeamSport, Yahoo and the Police Federation of England and Wales.