--- title: "Attackers have 16-digit card numbers, expiry dates, but not names. Now org gets £500k fine" description: "The UK's data protection watchdog has upheld a £500,000 fine against DSG Retail for a 2017 data breach that exposed millions of payment card details. The Court of Appeal ruled that DSG had a legal dut" type: "news" locale: "en" url: "https://longbridge.com/en/news/276519479.md" published_at: "2026-02-21T19:57:17.000Z" --- # Attackers have 16-digit card numbers, expiry dates, but not names. Now org gets £500k fine > The UK's data protection watchdog has upheld a £500,000 fine against DSG Retail for a 2017 data breach that exposed millions of payment card details. The Court of Appeal ruled that DSG had a legal duty to safeguard the data as personal information, despite the attackers not being able to identify cardholders from the stolen details. The case will return to the first-tier tribunal for further review, with potential for appeal to the UK Supreme Court. The ICO emphasized the importance of protecting all personal data processed by organizations. The UK's data protection watchdog has scored a small win in a lengthy legal battle against a British retail group that lost millions of data records during a 2017 breach. You can read Lord Justice Warby's decision, handed down yesterday, here \[PDF\]. The Information Commissioner's Office (ICO) originally fined DSG Retail £500,000 ($673,000) in 2020, the maximum financial penalty allowed under the Data Protection Act 1998 (DPA 1998) – the relevant legislation at the pre-GDPR time. Its monetary penalty notice (MPN) was upheld by the Court of Appeal's first-tier tribunal but later reversed by the upper tribunal \[PDF\], which sided with DSG Retail and, if that decision was final, would have effectively nullified the ICO's fine. Important to the case is the nature of the data that was stolen. Hackers installed malware on 5,390 tills across consumer electronics stores Currys PC World and Dixons Travel, both of which DSG owns. The malware went unnoticed for nine months, hoovering up 5.6 million payment card details and the personal information belonging to around 14 million people, the ICO confirmed when issuing its MPN. Then-commissioner Steve Eckersley said at the time that the ICO's findings were "concerning" and related to "basic, commonplace security measures," that ultimately showed "a complete disregard" for customers' data. The point of contention, central to the protracted legal case, is whether the card details the attackers scooped up could be used to identify cardholders. The trove of personal data accessed separately from the payment details is not something being debated in this case. Crucially, the card details involved were the long 16-digit card number and expiry dates, but not the names on the cards. DSG argues that this specific aspect of the case does not amount to a personal data breach since the hackers could not identify people from the payment card details alone. DSG acknowledges that it, as an organization, could make the link between the card data and real individuals, but says the attackers could not. The upper tribunal ruled against the ICO, arguing that the case should be viewed from the perspective of the attackers. If they couldn't use the card data to identify people, then that data should not be considered personal data within the context of a DPA 1998 offense. Lord Justice Warby concluded on Thursday that this argument was incorrect, siding with the ICO, sending the case back to the first-tier tribunal which ruled correctly in the first instance. His judgment challenged the upper tribunal's interpretation of the law, saying that personal data must be viewed from the perspective of the controller; if it can lead to the identification of an individual, in this case, at DSG Retail, then it is personal data. The relevant statute requires data controllers to safeguard this data, regardless of whether a third party could use it to identify individuals. Lord Justice Warby added that the upper tribunal's thinking could lead to confusing consequences if that was indeed the correct interpretation of the DPA 1998. The same approach would effectively free data controllers of the burden of protecting data in the event of a ransomware attack, for example, provided the attacker could not use it to identify people. "It is implicit in the reasoning of the UT, and in DSG's submissions, that such interventions are essentially harmless from the perspective of data subjects, so long as the malicious actor is not able to identify the people to whom the data relate, so that a duty to guard against them would be pointlessly burdensome," Lord Justice Warby ruled. "I do not accept that." He went on to discuss the possibility of jigsaw identification, whereby attackers could use the vast amounts of personal data that are accessible online, through various sources, as a means to identify the cardholders. "Technology has vastly increased in sophistication. The ability to locate, assemble, and combine disparate items to elicit information about individuals is greatly enhanced. It will often prove impossible to rule out the risk that unauthorized access to part of a data set, which does not itself identify any individual, could lead to processing by some unknown third party with (legitimate) access to the means of identification." Now that the Court of Appeal has ruled that DSG had a legal duty to safeguard the payment card data as personal data, the first-tier tribunal will review the case within the context of this judgment. DSG could appeal the tribunal's decision, sending it back again to the upper tribunal. If disputes remain, it could become a matter for the UK Supreme Court. Binnie Goh, general counsel at the ICO, said: "Today's judgment is a significant victory, bringing much-needed clarity for people affected by cyber attacks as well as industry. "We welcome the CoA's confirmation that organisations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognises that even if hackers can't identify people individually from stolen datasets, cyberattacks can and do still cause real harm. "With the rising threat of cybercrime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organisations: you have a protective duty to safeguard the personal data you hold." Curry's PLC, the current trading name of DSG Retail, did not respond to our requests for comment. ® ### Related Stocks - [TSCO.UK - Tesco PLC](https://longbridge.com/en/quote/TSCO.UK.md) ## Related News & Research | Title | Description | URL | |-------|-------------|-----| | Insider Buying: Tesco (LON:TSCO) Insider Acquires 29 Shares of Stock | Tesco PLC insider Ken Murphy acquired 29 shares at GBX 482 each on February 13, totaling £139.78. This follows previous | [Link](https://longbridge.com/en/news/276073155.md) | | UBS Keeps Their Buy Rating on Tesco plc (TSCO) | UBS analyst Sreedhar Mahamkali has maintained a Buy rating on Tesco plc (TSCO) with a price target of p500.00. Mahamkali | [Link](https://longbridge.com/en/news/273736492.md) | | Attackers have 16-digit card numbers, expiry dates, but not names. Should org get £500k fine? | The UK's data protection watchdog has won a legal battle against DSG Retail, which lost millions of data records in a 20 | [Link](https://longbridge.com/en/news/276432699.md) | | 18:18 ETStrategic Investment Solutions Inc. Data Breach Alert Issued By Wolf Haldenstein | Wolf Haldenstein Adler Freeman & Herz LLP is investigating claims related to a data breach at Strategic Investment Solut | [Link](https://longbridge.com/en/news/276284583.md) | | Hunt files police report against Cornyn campaign over release of family personal information | Rep. Wesley Hunt (R-Texas) filed a police report against Sen. John Cornyn's campaign after a senior staffer allegedly re | [Link](https://longbridge.com/en/news/276263760.md) | --- > **Disclaimer**: This article is for reference only and does not constitute any investment advice.