Currys PC World/Dixons Travel data breach timeline

stack of credit cards on a laptop keyboard

In January 2020, DSG Retail Limited  was fined half a million pounds for failing to protect its customers’ personal data. This figure was later reduced to £250,000. The DSG Retail Limited data breach resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores.

The details stolen by the cybercriminals included names, home addresses, phone numbers, dates of birth and email addresses. The hackers also got access to the records of 5.9 million payments cards. All these details can be used by cybercriminals to commit further crimes.

But where are we up to in this case? And what has happened so far?

Currys PC World/Dixons Travel Data Breach Timeline

  • July 2017 to April 2018
    An attacker installed malicious software on 5,390 tills in branches of Currys PC World and Dixons Travel. During this period, the vulnerability went undetected and hackers were able to access a huge amount of personal data.
  • 5 April 2018
    The business became aware of the data breach. The company was unable to definitively state what data, or how much data, was exfiltrated.
  • 8 June 2018
    The company first notified the Information Commissioner’s Office (ICO) that it had suffered a cyber-attack. At this stage it admitted that 5.9 million credit card numbers and 1.2 million records containing non-financial personal data had been accessed.
  • 30 July 2018
    The company revealed that 10 million customer records may have been accessed in the cyber-attack. That was ten times more people than the retailer first thought.
  • 9 January 2020
    The ICO fined the company £500,000. According to the ICO: “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
  • 5 July 2022
    The Information Rights First Tier Tribunal reduced the fine from £500,000 to £250,000

The ICO investigation

The ICO investigation found:

  • systemic failures in the way DSG Retail Limited safeguarded personal data
  • failures relating to basic, commonplace security measures
  • a complete disregard for the customers whose personal information was stolen.

Following the ICO’s fine, we launched a Currys PC World/Dixons Travel data breach claim

If you were a customer/potential customer of Dixons Retail Group (DRG) – which includes Currys PC World and Dixons Travel stores – between 2015 and 2018 it is likely you were affected by this breach. You could be affected if you bought a product outright or on finance, attempted to buy a product on finance but were refused, or if you took a support product or warranty out with DRG in that time.

At Keller Postman UK, we have launched a group action claim against DRG. Group actions can be a powerful tool and can have a bigger impact than a single claim.


We can take on your claim on a no-win, no-fee basis, so you have nothing to lose.

Register to become part of our Currys PC World/Dixons Travel data breach group action. 

Share this article: