[2024] UKUT 287 (AAC)

Given the breadth of the issues arising on this appeal, it is necessary to set out the FTT’s decision in some detail.

Under the heading “Factual Background”, the FTT set out that the attackers had “scraped” payment card data from the memory of the POS terminals before it entered DSG’s encrypted system. 5,646,417 payment cards had been affected, of which 5,592,349 had EMV protection. Of the remaining 54,068 cards, DSG had been unable to determine whether 1,280 had EMV protection. However, 52,788 of those remaining cards were known not to have EMV protection, and of those in relation to 44,160 cards the attackers obtained only the PAN and the card expiry dates. In the case of the remaining 8,628 cards without EMV protection, the attackers had obtained the cardholder name in addition to the PAN and expiry date. This scraped payment card data was referred to before the FTT as Batch 1 data.

The attack, however, also accessed a substantial quantity of non-financial data, which was accessed by the attackers other than from the POS terminals. This non-financial data comprised:

Having set out the relevant law at paragraphs 22 - 36, the FTT addressed the ICO’s MPN. In particular, at paragraph 40 of its decision the FTT set out the “inadequate security measures (‘contraventions’) identified in the MPN”. In summary, these were described by the FTT as: inadequate network segregation between the POS environment and the wider DSG network (“contravention 1”); the lack of a local firewall on the POS terminals (“contravention 2”); inadequate software patching (“contravention 3”); a failure to perform vulnerability scanning of the compromised environment on a regular basis (“contravention 4”); failure consistently to manage application whitelisting across all POS terminals (“contravention 5”); the lack of an effective system for logging and monitoring IT incidents in a timely manner (“contravention 6”); running software on the POS terminals that was outdated by several years and no longer maintained by the provider (“contravention 7”); as a consequence of contravention 6, running an out of date system on the POS terminals that did not support point to point encryption (“contravention 8”); failing to manage effectively the security of domain administrator accounts (“contravention 9”); and failing to implement standard builds for all components based on industry standard hardening guidance (“contravention 10”).

Between paragraphs 50 – 74 the FTT summarised the evidence it had heard. It is unnecessary for us to refer to this in detail. The FTT heard oral evidence from three non-expert witnesses: Mr Naveed Islam, the Head of Security Strategy for the Dixons Carphone Plc group until 31 December 2020; Mr Elliott Frazer, the Head of Business Standards and Data Protection Officer at Dixons Carphone Plc; and Mr Romeen Partovnia, a member of the ICO’s Cyber Investigations and Incident Response Team. The FTT also heard evidence from three expert witnesses: Professor Paul Dorey, an expert in cyber and information security; Professor Steven Murdoch, an expert in the security of payment card data; and Mr Benn Morris, an expert on cyber security.

In its “Findings of fact and reasons” the FTT first noted that key aspects of the contraventions of DPP7 were no longer relied on by the ICO. Given the extent to which the contraventions identified in the ICO’s MPN were no longer supported, the FTT was satisfied that not all the shortfalls identified in that MPN were contraventions of DPP7. It therefore found that the ICO’s MPN was not in accordance with the law and that the FTT should substitute its own MPN.

The FTT found that approximately 18.5 million records of largely non-financial personal data records under Batches 2, 3, 4.1 and 4.2 were accessed by the attackers. This data comprised names, addresses, postcodes, email addresses, dates of birth, telephone numbers, details of failed credit checks, partially concealed PAN in a context where the PAN was linked with other personal data and bank account details. This total was approximately two million more than that found in the ICO’s MPN, but the FTT based its higher finding on DSG’s evidence before it, which the FTT took to represent the most current assessment of the attackers’ activities. The FTT had regard to the fact that all figures before it were approximate and may have involved some duplication between the various Batches. However, it was “nevertheless…satisfied that a very substantial volume of non-financial personal data was unlawfully accessed as a consequence of the attack”.