[2024] UKUT 287 (AAC)

The FTT’s findings and reasons then turned to DPP7 and, per paragraph 99:

“99….whether the security measures in place at the time of the Attack were appropriate technical and organisational measures against the unlawful or unauthorised processing of personal data, having regard to the state of technological development at the time, the cost of implementing security measures and issues of proportionality”.

The FTT noted that the ICO, on paper, appeared at times to have approached the matter as if the attack itself was a contravention; the FTT established that was not the ICO’s view in practice (paragraph 107). It was clear that the attack itself was not a contravention (paragraph 107). Given the extent to which the ICO’s case before it had changed, for reasons of fairness, the FTT made findings (at paragraph 110 of its decision) only in relation to the MPN contraventions upon which the ICO was still relying. The FTT found only two of the contraventions relied on by the ICO were contraventions of DPP7. These are contraventions 3 and 9, and we deal with them in greater detail below.

Before doing so, however, we touch briefly on the alleged contraventions the FTT did not find breached DPP7. Alleged contravention 1 was not made out because there was generally low take up of network segregation measures by industry due to the expense and complexity of doing so, and therefore DSG did not breach DPP7 in not putting in place such measures. As for alleged contraventions 2 and 5, the FTT found that DSG’s POS terminals had adequate firewalls installed and whitelisting functions. Alleged contravention 4 concerned DSG’s failure to vulnerability scan the POS terminals, but the FTT accepted it was rational for DSG to prioritise work on the data centre. Given Professor Dorey’s evidence that the standard of DSG’s logging and monitoring was meeting or better than expected standards in the retail sector in 2017, alleged contravention 6 was not a breach of DPP7 either. Nor was alleged contravention 8, as DSG’s approach to the upgrade of security was rational. As for alleged contravention 7, the FTT found that “[g]iven the consultation with an IT security expert and the reliance on mitigations,… the continued reliance on outdated software was not a contravention of DPP7 per se”, but it was a relevant factor when assessing the appropriateness of DSG’s technical and organisational measures globally.

Contraventions 3 and 9 concerned DSG’s having been made aware (by a report prepared by an information security consultancy in May 2017, referred to as “the B Report”) that the DSG domain had not been updated with a number of software security patches, some of which had been identified as critical. One such patch was from 2014 and required a two stage process in which the second stage, after the patch had been applied, required the pre-existing administrator passwords to be deleted from the Group Policy account. This had not been done by the time of the B Report in May 2017, which identified this failure as a recurring issue, and the administrator passwords had still not been deleted by November 2017. The FTT accepted that the responsibility for these software security patching actions lay at the time with DSG’s external IT security contractor, but DSG remained accountable for its IT security. The FTT further gave weight to evidence of Professor Dorey that maintaining up to date security patches was an important security requirement, that the number of critical patches which were still to be applied in May 2017 would have been a source of concern for him and that this indicated an erratic approach to patch solution within DSG’s domain. In addition, once the attackers had gained access to DSG’s domain, they took advantage of the inadequate management of administrator passwords for the Group Policy account, and it was very likely that the failure to delete the administrator passwords became one of the vectors of the attack. There was, moreover, no evidence before the FTT of any risk assessment or decisions made by or on behalf of DSG relating to the critical risks of security patch management and password practices after it had had concerns about these matters drawn to its attention in 2017 and 2018.

Despite its use of external IT consultants, the FTT was satisfied that senior managers at DSG had been made aware at least twice that DSG’s IT system had a critical security vulnerability in relation to its approach to patch management, and at least once that there was an issue with their password policy. Further, DSG had been notified of the critical risk arising from the failure to complete the required second stage (deleting the administrator passwords) in relation to the 2014 software patch.

The FTT therefore concluded that, having commissioned the B Report for the purpose of identifying security vulnerabilities of this nature, there was a reasonable expectation that DSG should have taken positive steps to address as a priority any critical risks or systemic weakness that had been identified. It further concluded that:

“110.

(m)…notwithstanding the complexity of the DSG IT domain and the challenges described of rolling out security patches across the entire estate, the approach within DSG to software patching and to the management of passwords/domain administrator password accounts amounted to a failure to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data…..Further, and in the absence of evidence of any risk assessment, we are satisfied that any decision made by DSG in relation to adopting appropriate technical and organisational measures in this regard ought not to be viewed as an exercise of judgement of the nature anticipated in Morrisons, whether or not that decision was taken positively or default. We are satisfied that DSG’s failure to take appropriate measures in relation to this risk was a contravention of DPP7 for which it is appropriate to hold DSG to account.

(n)

When reaching this conclusion, we have approached any evidence of use by the Attackers of the vulnerability created by the contravention as being solely confirmation of the potential risks. We are satisfied from the evidence before us that the Attackers were sophisticated criminals and that their ability to gain access to DSG’s domain should not be taken as an indication that DPP7 obligations cannot have been met.”