[2024] UKUT 287 (AAC)

Although the MPN served by the ICO has been superseded by the FTT’s decision, it provides an important context for the FTT’s decision and we therefore highlight some relevant parts of it.

Presaging a key issue in this appeal to the Upper Tribunal, the ICO rejected DSG’s argument that the PAN did not constitute personal data in the hands of the attackers in those cases where the cardholder’s name was absent from the data obtained by the attackers. The ICO maintained that “the PAN alone does constitute personal data” and therefore considered “that the total number of affected cards (5,646,417) contained personal data at risk of being compromised by the attack”.

The ICO’s MPN set out her “preliminary view” that DSG contravened DPP7 in relation to its computer system and organisational measures because: (i) DSG’s network segregation was not sufficient; (ii) there was no local firewall configured on the POS terminals; (iii) DSG’s approach to software patching of its domain controllers and the systems used to administer them was inadequate; (iv) vulnerability scanning of the compromised environment was not performed on a regular basis; (v) DSG failed to correctly manage application whitelisting across its full fleet of POS terminals; (vi) DSG did not have an effective system of logging and monitoring in place to identify and respond to incidents in a timely manner; (vii) it did not effectively manage the security of its POS systems because elements of its POS software was outdated; (viii) furthermore, DSG’s POS system did not support point to point encryption; (ix) DSG failed effectively to manage the security of its domain administrator account in that it did not risk assess the addition of user accounts and failed to adhere to its own policies in respect of access permissions and passwords; and (x) it failed to implement standard builds for all system components based on industry standard hardening guidance.

The ICO, having had regard to the state of technological development, the cost of implementing any measures and the nature of the personal data and harm that could arise from its misuse, determined that there were multiple inadequacies in DSG’s technical and organisational measures for ensuring the security of personal data on its system. The ICO stated that she was mindful that DPP7 and the requirements of section 55A of the DPA 1998 were concerned with measures and the kind of contravention, rather than with any actual data breach, but the attack had exposed the contents of DSG’s systems to serious risks. It was the ICO’s view that each of the ten inadequacies would have constituted a contravention of DPP7. However, she assessed DSG’s arrangements in the round and on that basis took the preliminary view that there had been a multi-faceted breach of DPP7 by DSG.

Having found a contravention of DPP7, the ICO’s MPN went on to explain why the conditions for issuing a MPN had, in her view, been met.

The ICO considered the contravention was serious because there were a number of distinct and fundamental inadequacies in DSG’s security systems which appeared to have persisted over a relatively long period of time. Moreover, the attack had been ongoing for 9 months before it was detected, giving the attackers ample opportunity to view and extract data. A number of the inadequacies related to basic and commonplace measures which, in the ICO’s view, were needed for any such system: for example, the absence of network segregation and inadequate software patching. Furthermore, there was a significant amount of personal data on DSG’s systems, and the volume and breadth of financial personal data, and non-financial data, which had been affected was sufficient to increase the seriousness of the contraventions. Moreover, the nature of this personal data heightened the seriousness of the contravention because it rendered the affected individuals susceptible to financial theft and identify fraud. In addition, the ICO had received a significant number of complaints about the attack, and the ICO considered these evidenced both the distress the attack had caused and the worry of increased fraud. Finally, the ICO considered that the general public would expect DSG to “lead by example” and to be sufficiently protected so as to avoid such systemic non-compliance.

Turning next to explain why the contravention was of a kind likely to cause substantial distress or substantial damage, the ICO’s MPN set out, inter alia, that a contravention involving personal data, and in particular payment data, was likely to be useful in terms of identity theft and fraud. Furthermore, the contravention exposed personal data to the risk of cyberattack. And even if the damage or distress likely to have been suffered by each affected individual was less than considerable, the totality could nevertheless be substantial. Given the large number of affected individuals, whether in terms of financial or non-financial personal data, the “substantial distress” threshold was clearly met.

The ICO further determined in the MPN that DSG knew or ought reasonably to have known that there was a risk that the contravention would occur and be of a kind likely to cause substantial damage or substantial distress.

The ICO’s MPN also found that DSG had failed to take reasonable steps to prevent such a contravention. This finding was based, inter alia, on DSG being a large, well-resourced and experienced data controller, which was processing payment card data and non-financial data for a large number of data subjects, and who therefore should have been aware of the potential consequences of cyber breaches where robust cyber security measures were absent. DSG, moreover, was well placed to assess weaknesses in its data security arrangements and take appropriate action. This was particularly so given a number of the inadequacies related to commonplace measures (e.g. network segregation and adequate patching) which should have been obvious to any data controller working with such IT systems. Further, given DSG’s size and prominence, it should have appreciated that that the misuse of personal data held on its systems was likely to cause substantial distress and damage, including risks of identity fraud and theft. By failing to fully implement basic good practice measures prior to the attack, DSG failed to take appropriate steps to prevent the contravention.

It was on the basis of all of the above that the ICO decided it was appropriate to issue an MPN notice against DSG.