Attackers have 16-digit card numbers, expiry dates, but not names. Should org get £500k fine?
The Register
February 20, 2026
AI-Generated Deep Dive Summary
The UK's Information Commissioner's Office (ICO) has won a significant legal battle against DSG Retail, a British retail giant, over a massive 2017 data breach. Lord Justice Warby ruled that the card details stolen during the attack—16-digit card numbers and expiry dates—are considered personal data under the Data Protection Act 1998 (DPA 1998), as DSG Retail could identify individuals from the information, regardless of whether the attackers could do so. This decision reaffirms the ICO's original £500,000 fine, which had been overturned by an upper tribunal but is now sent back to the first-tier tribunal for reconsideration.
The breach occurred after hackers installed malware on 5,390 tills across Currys PC World and Dixons Travel stores. The attack went unnoticed for nine months, resulting in the theft of 5.6 million payment card details and personal information belonging to approximately 14 million individuals. At the time, then-ICO Commissioner Steve Eckersley described the breach as a failure of basic security measures, showing "a complete disregard" for customer data.
DSG Retail argued that since the stolen card details lacked names, they did not constitute personal data under the DPA 1998. However, Lord Justice Warby rejected this argument, stating that the definition of personal data should be based on the controller's (in this case, DSG Retail) ability to identify individuals, not the attackers'. He emphasized that the law requires controllers to safeguard data regardless of whether an attacker could misuse it for identification.
The ruling also challenges the upper tribunal's interpretation of the law, which could have led to confusing consequences. Lord Justice Warby noted that if the attackers' inability to identify individuals was the sole criterion, companies would effectively be absolved of their responsibility to protect data during attacks like ransomware breaches. He further highlighted the potential for "jigsaw identification," where vast amounts of publicly available data could be combined to identify cardholders, even without names.
This case underscores the importance of accountability in data protection and sets a precedent for how personal data is defined under pre-GDPR legislation. For tech readers, this decision highlights the ongoing need for robust security measures and the potential legal repercussions of failing to protect sensitive information.
Verticals
tech
Originally published on The Register on 2/20/2026