[2024] UKUT 287 (AAC)

The appeal arises from a cyber-attack on the appellant’s in-store payment systems and the information the attackers obtained from the appellant’s payment systems as a result of that attack. We will refer to the appellant as “DSG” (although it is now Currys Group Limited). The attack, which took place between 24 July 2017 and 25April 2018, targeted its Currys PC World and Dixons Travel stores and resulted in the attackers obtaining the payment card data from the memory of the point of sale (“POS”) terminals in those stores.

Most relevantly for the purposes of this appeal, over five million payment cards were affected by the attack. Most of those cards had what is termed “EMV” protection. A common example of such protection is the use of chip and pin. No chip and pin data was obtained by the attackers from the payment terminals in DSG’s stores. However, the attackers did obtain from the EMV protected payment cards the unique 16-digit numbers on each credit or debit card (the “PAN”) and the card expiry dates. In addition to these EMV protected cards, the attackers also exfiltrated over 52,000 other payment cards which did not have EMV protections. In respect of 8,628 of these non-EMV protected cards the attackers obtained not only the PAN and expiry date of each card but also the cardholder’s name.

A substantial quantity of non-financial personal data was also obtained by the attackers, outwith the POS terminals. We address this further when we consider the First-tier Tribunal’s (“FTT”) decision.

As the FTT noted at paragraph 13 of its decision, forensic experts have not been able to identify the exact point of entry exploited by the attackers. However, once they gained access to the DSG environment, the attackers were able to compromise a number of internal systems and accounts, including multiple domain administrator accounts which provided the attackers with significant access privileges.

The ICO served a MPN on DSG on 7 January 2020. It was served under section 55A of the DPA 1998 “because of a serious contravention” of DPP7. The monetary penalty imposed by that MPN was £500,000 (the then maximum penalty).

DSG appealed against the MPN and its appeal was heard by the FTT over seven days in November 2021. The FTT in its decision of 5 July 2022 held that the ICO’s MPN of £500,000 was wrong in law and substituted an MPN in the sum £250,000.

Permission to appeal was granted by Upper Tribunal Judge Wright on 9 June 2023 in respect of two of DSG’s six proposed grounds of appeal (Grounds 1 and 3). As we explain in more detail below, there is an issue as to scope of the grant of permission in relation to Ground 1. Pursuant to Judge Wright’s order, the effect of the FTT’s decision is suspended until this appeal to the Upper Tribunal has been finally determined.