惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Microsoft Azure Blog
Microsoft Azure Blog
量子位
小众软件
小众软件
C
Cybersecurity and Infrastructure Security Agency CISA
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tenable Blog
V
Vulnerabilities – Threatpost
Know Your Adversary
Know Your Adversary
T
Threat Research - Cisco Blogs
Latest news
Latest news
Spread Privacy
Spread Privacy
C
Cyber Attacks, Cyber Crime and Cyber Security
NISL@THU
NISL@THU
T
Tor Project blog
Hacker News: Ask HN
Hacker News: Ask HN
V2EX - 技术
V2EX - 技术
T
The Exploit Database - CXSecurity.com
博客园 - 三生石上(FineUI控件)
K
Kaspersky official blog
Cyberwarzone
Cyberwarzone
博客园 - 叶小钗
博客园 - 聂微东
Last Week in AI
Last Week in AI
爱范儿
爱范儿
腾讯CDC
博客园 - Franky
美团技术团队
J
Java Code Geeks
O
OpenAI News
L
Lohrmann on Cybersecurity
Simon Willison's Weblog
Simon Willison's Weblog
有赞技术团队
有赞技术团队
T
Threatpost
G
GRAHAM CLULEY
Hugging Face - Blog
Hugging Face - Blog
博客园 - 【当耐特】
宝玉的分享
宝玉的分享
I
Intezer
N
News and Events Feed by Topic
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Blog of Author Tim Ferriss
S
Security @ Cisco Blogs
Forbes - Security
Forbes - Security
N
News | PayPal Newsroom
Stack Overflow Blog
Stack Overflow Blog
Scott Helme
Scott Helme
H
Hacker News: Front Page
Cloudbric
Cloudbric

The Register - Off-Prem: Channel

'Death sentence': EU cloud lobby drags Broadcom to Brussels Iran war wreaking havoc on cargo, global delays likely OpenAI asks consultants to help it push Frontier OpenAI asks consultants to help it push Frontier Rising memory costs see vendors change terms and conditions Capgemini to sell biz that has a deal to help ICE Ingram Micro admits ransomware raid exposed staff records Hiring at India’s Big Four outsourcers stalls as AI bites Hiring at India’s Big Four outsourcers stalls as AI bites Accenture to buy Palantir rival, UK-based Faculty The ‘Palantir-ization’ of IT services is upon us Amazon straps AI smart specs to delivery drivers Microsoft pivots to copyright claim in ValueLicensing case Client defended engineer boss lied about dodgy dealings Client defended engineer boss lied about dodgy dealings Node4 awarded £2.4M in damages after Tisski takeover Trump tariff turmoil toys with PC sales, economy not helping Everyone needs an AI phone. No, don't hang up, it's true Microsoft software reselling dispute heads back to UK court KPMG wrote 100-page prompt to build agentic TaxBot Google admits anticompetitive conduct in Australia Foxconn now making more from servers than iPhones Stock in the Channel pulls website amid cyberattack Ebuyer website bought by Fraser Group plc Ingram Micro attackers threaten 3.5 TB data leak this week India, not China, manufactures most US smartphones now India, not China, manufactures most US smartphones now Microsoft exec admits it 'cannot guarantee' data sovereignty Infosec firm Adarma confirms it will enter administration Small clouds out as VMware again changes partner program Trump tariffs turn techies topsy-turvy: US braced for PC tax Ingram Micro restarts orders – for some – following ransomware attack Ingram Micro confirms ransomware behind multi-day outage 14-hour+ global blackout at Ingram Micro halts customer orders Ingram Micro still silent 14 hours after global outage began Impact of Microsoft taking over Enterprise Account renewals starts to 'bite' Kaseya CEO: Why AI adoption is below industry expectations Taiwan blocks exports to SMIC, Huawei in defiance of Beijing Doomed UK smartphone maker Bullitt Group finally liquidated VMware drops the lowest tier of its partner program – except in Europe VMware price hikes? Between 800 and 1,500%, claim Euro customers Microsoft adds custom SaaS payment plans, variable payments India’s services giants brace for impact as US tariffs bite Tech suppliers await final grade as Trump prepares to flunk Department of Education Have I Been Pwned likely to ban resellers from buying subs, citing 'sh*tty behavior' and onerous support requests Have I Been Pwned likely to ban resellers Biz tax rises, inflation and high interest. Why fewer UK tech firms started in 2024 Fewer UK tech startups launched in 2024 Brit government contractor CloudKubed enters administration UK government tech procurement lacks understanding, says watchdog Microsoft, PC makers cut prices of Copilot+ gear in Europe, analyst stats confirm Microsoft invites Chinese software vendors to sell on its marketplace and through its partners Microsoft to sell Chinese software on its marketplace The channel stands corrected: Hardware is a refresh cycle business now Channel stands corrected: Hardware a refresh cycle biz now Ingram Micro to 'stop doing business' with Broadcom, downgrade to 'limited engagement' on VMware Microsoft preps big guns to shift Copilot software and PCs Pakistan IT org warns that bad internet could kill industry One of Europe's largest resellers mandates 3-day office week AI PCs need to be better at everything trad PCs can do Intel share price drop could see it delisted from Dow Jones IBM Canada can't duck systematic age discrimination claim Google goes shopping for Indian e-commerce assets at Walmart Fujitsu Japan adopts Oracle's Alloy service provider cloud Wipro appoints new CEO: US boss Srini Pallia takes over Microsoft reseller tells LSE of over 100 undisclosed deals Citrix reportedly doubles cost of some software licenses VMware by Broadcom teases more, cheaper, training, from May Boss at Microsoft reseller quits, admits secret share trades eBay tells 1,000 workers their days at company are numbered AWS Marketplace adds sales of third-party services Foxconn’s teams with HCL Group for India chip packaging play Nutanix set to benefit most from Broadcom's VMware upheaval India's big four services giants soar on demand for AI Broadcom to end VMware’s partner program Infosys loses ten-year, $1.5 billion contract China’s annual e-tail frenzy set records, but revenue hidden Infosys and Wipro slow graduate recruitment Gulf states and 'The Stans' could become new tech hotspot 'Unexpected system challenges’ delay Microsoft product Microsoft tells partners unbundling Teams is a ‘compromise’ Two top execs quit Infosys months after its president jumped JP Morgan: Bad times just starting for India's outsourcers Dell pulls storage, PCs, and compute into Apex ITaaS India’s major IT outsourcers slow hiring, fret about deals Microsoft pays $3.3M for alleged US sanctions busting Microsoft pauses delayed partner ecosystem security update Azure usage notifications for partners broken until March Revenues grows strongly at India’s big four IT outsourcers
ICO wins battle in fight to fine tech retailer £500k
Connor Jones Connor Jones · 2026-02-20 · via The Register - Off-Prem: Channel

Security

Attackers have 16-digit card numbers, expiry dates, but not names. Now org gets £500k fine

Appeals judge overrules lower tribunal in latest battle of ICO against a breached retail giant

The UK's data protection watchdog has scored a small win in a lengthy legal battle against a British retail group that lost millions of data records during a 2017 breach.

You can read Lord Justice Warby's decision, handed down yesterday, here [PDF].

The Information Commissioner's Office (ICO) originally fined DSG Retail £500,000 ($673,000) in 2020, the maximum financial penalty allowed under the Data Protection Act 1998 (DPA 1998) – the relevant legislation at the pre-GDPR time.

Its monetary penalty notice (MPN) was upheld by the Court of Appeal's first-tier tribunal but later reversed by the upper tribunal [PDF], which sided with DSG Retail and, if that decision was final, would have effectively nullified the ICO's fine.

Important to the case is the nature of the data that was stolen. Hackers installed malware on 5,390 tills across consumer electronics stores Currys PC World and Dixons Travel, both of which DSG owns.

The malware went unnoticed for nine months, hoovering up 5.6 million payment card details and the personal information belonging to around 14 million people, the ICO confirmed when issuing its MPN.

Then-commissioner Steve Eckersley said at the time that the ICO's findings were "concerning" and related to "basic, commonplace security measures," that ultimately showed "a complete disregard" for customers' data.

The point of contention, central to the protracted legal case, is whether the card details the attackers scooped up could be used to identify cardholders. The trove of personal data accessed separately from the payment details is not something being debated in this case.

Crucially, the card details involved were the long 16-digit card number and expiry dates, but not the names on the cards.

DSG argues that this specific aspect of the case does not amount to a personal data breach since the hackers could not identify people from the payment card details alone. DSG acknowledges that it, as an organization, could make the link between the card data and real individuals, but says the attackers could not.

The upper tribunal ruled against the ICO, arguing that the case should be viewed from the perspective of the attackers. If they couldn't use the card data to identify people, then that data should not be considered personal data within the context of a DPA 1998 offense. 

Lord Justice Warby concluded on Thursday that this argument was incorrect, siding with the ICO, sending the case back to the first-tier tribunal which ruled correctly in the first instance.

His judgment challenged the upper tribunal's interpretation of the law, saying that personal data must be viewed from the perspective of the controller; if it can lead to the identification of an individual, in this case, at DSG Retail, then it is personal data.

The relevant statute requires data controllers to safeguard this data, regardless of whether a third party could use it to identify individuals.

Lord Justice Warby added that the upper tribunal's thinking could lead to confusing consequences if that was indeed the correct interpretation of the DPA 1998.

The same approach would effectively free data controllers of the burden of protecting data in the event of a ransomware attack, for example, provided the attacker could not use it to identify people.

"It is implicit in the reasoning of the UT, and in DSG's submissions, that such interventions are essentially harmless from the perspective of data subjects, so long as the malicious actor is not able to identify the people to whom the data relate, so that a duty to guard against them would be pointlessly burdensome," Lord Justice Warby ruled. "I do not accept that."

He went on to discuss the possibility of jigsaw identification, whereby attackers could use the vast amounts of personal data that are accessible online, through various sources, as a means to identify the cardholders.

"Technology has vastly increased in sophistication. The ability to locate, assemble, and combine disparate items to elicit information about individuals is greatly enhanced. It will often prove impossible to rule out the risk that unauthorized access to part of a data set, which does not itself identify any individual, could lead to processing by some unknown third party with (legitimate) access to the means of identification."

Now that the Court of Appeal has ruled that DSG had a legal duty to safeguard the payment card data as personal data, the first-tier tribunal will review the case within the context of this judgment.

DSG could appeal the tribunal's decision, sending it back again to the upper tribunal. If disputes remain, it could become a matter for the UK Supreme Court.

Binnie Goh, general counsel at the ICO, said: "Today's judgment is a significant victory, bringing much-needed clarity for people affected by cyber attacks as well as industry. 

"We welcome the CoA's confirmation that organisations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognises that even if hackers can't identify people individually from stolen datasets, cyberattacks can and do still cause real harm.  

"With the rising threat of cybercrime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organisations: you have a protective duty to safeguard the personal data you hold." 

Curry's PLC, the current trading name of DSG Retail, did not respond to our requests for comment. ®