The DSG Retail Limited data breach resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores.
The details stolen by cybercriminals included:
The hackers also got access to the records of 5.9 million payments cards. All of these details can be used by cybercriminals to commit further crimes.
The company was fined £250,000 by the Information Commissioner’s Office (ICO) for failing to protect its customers. But this payment will not be used to compensate victims.
Keller Postman UK has launched a group action against Currys PC World/Dixons Travel. Group actions can be a powerful tool and can have a bigger impact than a single claim.
IF YOU HAVE BEEN AFFECTED BY THE CURRYS PC WORLD/DIXONS TRAVEL DATA BREACH, WE CAN HELP YOU MAKE A NO-WIN, NO-FEE CLAIM FOR DATA BREACH COMPENSATION.
The business was fined £250,000 by the Information Commissioner’s Office (ICO) for:
But this payment will not be used to compensate victims.
Despite accepting that it had fallen short of its data protection requirements, DSG appealed the penalty. And while many data protection advocates believed that the company got away lightly with the original £500,000 fine, this has now been reduced to just £250,000.
It is not too late to join our no-win, no-fee Currys PC World/Dixons Travel data breach action, but time is running out. To make sure you get the compensation you deserve, register with us today.
Find out more about making a group action claim for compensation.
What does no-win, no-fee actually mean and are there really no costs if you appoint us?
We are one of the most experienced multi-claimant law firms in the UK.
Our GDPR, data breach and cybercrime specialists have a combined experience of over 50 years.
We represent clients in group actions with innovation, resources, and expertise.
We work with expert barristers to ensure you get the very best level of legal support available.
We have all the resources and global expertise necessary to take on complicated cases and win.
We have offices in Chancery Lane London, Birmingham and Liverpool, and the technology to provide a nationwide service, so we can help clients across England & Wales.
We use technology to deliver a better legal experience to our clients.
We work on a no-win, no-fee basis.
We make the process straightforward and hassle-free.
Following the Currys PC World/Dixons Travel data breach, Keller Postman UK intends to begin a group action to help victims of this privacy violation claim compensation. Here’s a guide to the Currys PC World/Dixons Travel data breach to help you find out if you have a claim, and what you need to do to secure justice for the violation of your data protection rights.
The data breach happened when an attacker installed malicious software on 5,390 tills in branches of Currys PC World and Dixons Travel. During this period, the vulnerability went undetected and hackers were able to access a huge amount of personal data.
This information can be used by cybercriminals to commit further crimes. Phishing is especially common after a data breach. The hackers also got access to the records of 5.9 million payment cards.
If you made a purchase at Currys PC World or Dixons Travel between July 2017 and April 2018, you could be affected by the data breach. But the ICO’s investigation into the data breach found that even more people were involved in the hack.
The data stolen also included details of people who had either service plans, or who had made finance purchase enquiries before the breach occurred. The company stored data on those transactions to include both passed and failed credit checks, and over two million of those records were accessed and obtained by the hackers. So, if you made or attempted to make a purchase with the Dixons Group from 2015 onwards, your details could have been taken.
The ICO – which is the UK’s data protection regulator – investigated the breach and uncovered:
In January 2020. the ICO fined DSG Retail Limited (which owned Currys PC World and Dixons Travel) half a million pounds for the data breach. But, despite accepting that it had fallen short of its data protection requirements, DSG appealed the £500,000 penalty on several grounds. Amongst other things, it argued that:
The appeal also looked at the contentious issue of what constitutes personal data in its own right. In this case, DSG argued that the bank account numbers (PAN) accessed were not ‘personal data’ as described by UK data protection law, and as such, a lower fine should have been imposed.
While the ICO still believes there were significant failures in DSG’s security provisions, the appeal accepted that the original decision was flawed in parts. Not all of the security shortfalls can be described as “distinct and fundamental inadequacies in security arrangements” or infringements of data protection law.
However, the appeal also ruled that the PAN scraped from the POS terminals was personal data, as it could be used to identify an individual in conjunction with other data likely to be processed by the business. Moreover, even without taking PAN into account, the overall volume of personal financial and non-financial data accessed was enough to ensure a high fine.
In summary, the appeal found that this was a significant data breach and that those affected could have experienced considerable worry and concerns about the risks of identity fraud following the violation. It also found that DSG should have done more to protect its customers.
Nevertheless, the appeal balanced this against the fact that the company was taking data protection seriously. It was investing substantial resources into a long-term security transformation programme, had a clear internal governance structure, and had appointed external IT security specialists to ensure adequate IT security arrangements in the interim.
As such, the decision to impose the maximum possible penalty on DSG was overturned and while many data protection advocates believed that the company got away lightly with the original £500,000 fine (which could have been much bigger under more recent data protection legislation), this was reduced to just £250,000.
The level of fine imposed by the ICO does not directly impact anyone making a Currys PC World/Dixons Travel data breach compensation claim, because victims of the data breach will not get a penny on this penalty (it goes to HMRC). The only way to receive compensation and justice is to make a data breach compensation claim.
To progress your case, we need evidence that you were involved in the Currys PC World/Dixons Travel data breach. We appreciate that this is frustrating, but by giving us the evidence we need, we can make the strongest possible claim on your behalf.
This is the easiest way to prove your involvement in the breach.
However, even if you have this evidence, if you took out credit to make your purchase, you should also send us a copy of your credit report for 24th July 2017 – 25th April 2018. People who used credit to make their purchase may have had ‘special category’ data breached, and this could result in a higher level of compensation. Find out how to get a copy of your report below.
If you have an account with a credit agency (e.g. Equifax or Experian), you can get a copy via your online account. If you do not have an account with a credit agency, most offer free-trial periods which you can use to access your report. Please note that we need a copy of your credit report, which is a full record of your borrowing history, not your credit score. The report must cover the data breach period which is 24th July 2017 – 25th April 2018.
There are also several third-party credit monitoring companies that you can use to access your report. These include Credit Monitor, ClearScore and CheckMyFile. Some of these services offer free trial periods, whereas other provide a completely free service (usually so that they can market other services to you). It is worth checking the small print before you sign-up.
Registering with a credit agency or monitoring company is good practice to ensure credit isn’t taken out in your name without your knowledge.
If you have online banking, sign in to your account and access and download a statement for 24th July 2017 – 25th April 2018.
If you do not have online banking and you do not have a paper copy that covers the data breach period, you can request this from your bank.
Once you have registered with us, we will provide details on how to send us this evidence.
A data breach can result in both financial and identity theft. With enough stolen information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts, use your cards to make payments, and access your existing accounts. Criminals also use financial data in scams designed to extract additional information from victims (e.g., banking passwords). And hackers often sell stolen financial data to other criminals for future scams.
Even if no money is lost, the impact of a financial data breach can be significant. Many victims suffer from stress, anxiety, and distress due to living with the added risk and the extra vigilance needed. Thankfully, over the last few years, people have been waking up to the reality of mental health, and there is a greater awareness of the lasting effects of psychological suffering and anguish.
While Currys PC World and Dixons Travel were victims of a cyber-attack, DSG controlled your personal information and had a duty to look after it.
The appeal acknowledged that millions of customers had their personal data stored on DSG’s IT system at the time of the breach and that these people had a right to assume that it would be protected. The appeal also concluded that “the personal data in relation to which this contravention occurred was of a kind likely to cause substantial distress both qualitatively and quantitatively”
Poor security processes allowed the breach to happen, so DSG is responsible and must be held to account. Furthermore, this is not the first time the company has failed to protect its customers’ data. In fact, there is a history of data negligence at the company. It is essential to hold DSG Retail Limited to account if data security is to improve.
Our data protection solicitors have listed some helpful links to ensure victims of the Currys PC World/Dixons Travel data breach know where they can turn.
The leading independent victim’s charity in England and Wales for people affected by crime and traumatic incidents.
If you are struggling emotionally after a data breach, you can call the Samaritans free from any phone.
Provides advice, information, onward referral, and holistic support to people experiencing mental ill-health and drug/alcohol difficulties (which could be exacerbated following the Currys PC World/Dixons Travel hack). The service can also support people who have been a victim of crime.
Victims of online offences such as scams and financial/identity fraud following the Currys PC World/Dixons Travel data hack should contact Action Fraud to report their loss.
A source of unbiased, factual, and easy-to-understand information on online safety with guidance to protect you from fraud, identity theft and abuse.
Impartial advice to help everyone in the UK protect themselves against financial fraud.
At Keller Postman UK, we understand that choosing a data breach solicitor can be daunting. How do you know if it is the right firm for you? To make the process a little bit easier, here are some questions you should ask when choosing a Currys PC World/Dixons Travel data breach lawyer.
Most firms do not have lawyers who are experts in data breach law. But at Keller Postman UK, we have a dedicated team of data protection experts led by Kingsley Hayes – arguably the UK’s foremost data breach solicitor. Our data breach solicitors are at the forefront of data breach legal services. And, because we have been doing this for longer than most, we lead our field when it comes to understanding the complexities involved. We know what it takes to make a successful data breach claim.
Some firms will offer their services on a no-win, no-fee basis. This means that, if you do not win, you shouldn’t have to pay a penny. But be careful to check the small print. With Keller Postman UK:
Several UK firms have knowledge of multi-claimant litigation, but it is worth checking to see if they have specifically managed multiple data breach group actions. At Keller Postman UK, we are currently managing several significant data breach group actions. And we have secured settlements against big players such as British Airways and Ticketmaster.
Several UK firms have knowledge of multi-claimant litigation, but it is worth checking to see if they have specifically managed multiple data breach group actions. At Keller Postman UK, we are currently managing several significant data breach group actions. And we have secured settlements against big players such as British Airways and Ticketmaster.
See our answers to the FAQs we get asked about the Currys PC World/Dixons Travel data breach.
A massive data breach hit the company in 2017. The breach affected Currys PC World and Dixons Travel stores. Details stolen by cybercriminals included names, addresses, phone numbers, dates of birth, and email addresses. All of which can be used by cybercriminals to commit further crimes. The hackers also got access to the records of 5.9 million payments cards.
On Jan 9th, 2020, the company was fined £500,000 by the Information Commissioner’s Office (ICO). According to the ICO, “The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.” This fine was later reduced to just £250,000.
The ICO investigated the breach and found:
No. While the ICO has the power to impose hefty fines on organisations in breach of their duties, it does not award compensation. However, now that the ICO has found Currys PC World/Dixons Travel guilty of failing to protect your data, we can use this evidence to support your data breach compensation claim.
While Currys PC World/Dixons Travel were the victim of a cyber-attack, the business or organisation responsible is the one who controlled your personal information if they intentionally, negligently or recklessly allowed it to be lost, leaked or hacked. So, in this case, Currys PC World/Dixons Travel are responsible.
There are no costs to join a claim. However, if your claim is successful, you may have to pay a ‘success fee’. This fee is taken from the compensation awarded to you. At Keller Postman UK, our fees are reasonable and we always explain what you will have to pay if you win up-front.
A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known (here or in the US) as class actions, multi-claimant or multi-party actions.
A group action allows people with the same type of claim to bring it together on a collective basis. This strengthens their overall position and makes big organisations take the matter seriously. This increases the claimant’s chances of settlement or success in litigation.
Just because your case is part of a group action doesn’t mean that everyone will receive the same amount of compensation if successful. All claims are settled based on their merits, and you will receive what you are owed.
If you are part of a group action with another firm and you would like to know more about switching to Keller Postman UK, contact us today.
While each case is judged on its own merits, there are some things we would typically look for when it comes to when claiming compensation following a data breach, cybercrime or other GDPR violation:
With stolen data, cybercriminals can make purchases using your bank and credit cards, apply for credit in your name, set up fraudulent bank accounts and access your existing online accounts.
GDPR failures, cybercrime and data breaches can have a significant impact on you, both mentally and physically. They can cause or exacerbate anxiety, stress and other psychological conditions.
Keller Postman UK has some of the most skilled data breach lawyers in England and Wales. Here are just some of our success stories.
Keller Postman UK is a founding member of the Collective Redress Lawyers Association (CORLA). CORLA aims to improve access to justice for claimants by way of collective redress.
