ICO Wins Appeal over Data Protection Obligations in Currys Cyber Attack

The Currys Group breach, stemming from malware on point‑of‑sale devices between 2017 and 2018, exposed millions of credit‑card numbers and limited personal details. The ICO’s 2020 fine of £500,000 under the pre‑GDPR Data Protection Act highlighted gaps in the retailer’s security posture, including missing firewalls, unpatched software, and inadequate network segregation. While the breach pre‑dated GDPR, the case became a litmus test for how legacy data‑protection statutes apply to modern cyber threats, especially when stolen data is partially pseudonymised.

In a decisive Court of Appeal ruling, Lord Justice Warby affirmed that the seventh data‑protection principle obliges controllers to protect any personal data they process, irrespective of whether a third‑party can readily identify individuals. The judgment rejected DSG’s argument that EMV‑protected card details fell outside the scope of “appropriate technical and organisational measures.” By emphasizing a broader statutory construction, the court reinforced the ICO’s stance that pseudonymised or seemingly harmless data still warrants full protection, setting a precedent for future tribunals interpreting DPA obligations.

For the wider industry, the ruling sends a clear signal: compliance frameworks must treat all data as sensitive and implement comprehensive safeguards such as regular penetration testing, strict access controls, and continuous patch management. Companies can no longer rely on the perceived anonymity of encrypted or tokenised information to mitigate liability. As cyber‑crime escalates, regulators are likely to pursue more aggressive enforcement, making proactive data‑security investments not just best practice but a legal necessity. Organizations that adapt now will reduce exposure to fines, reputational damage, and costly remediation efforts.