Some 5.6 million credit cards were affected by a data breach at Dixons Carphone, committed through 5,390 sales terminals over nine months between July 2017 and April 2018 and resulting in a £500,000 (U.S. $653,000) fine from the U.K. Information Commissioner’s Office. The company also admitted 73 percent of its database was infiltrated through malware on its tills, impacting 14 million people.

The attackers gained access to payment card details, as well as personal information including full names, postcodes, e-mail addresses, and failed credit checks from internal servers.

The ICO’s investigation found Dixons Carphone’s IT security was poor and included inadequate software patching, absence of a local firewall, and a lack of network segregation and routine security testing.

In its penalty notice, the ICO complains of “systemic failures,” “a complete disregard for customers,” “a careless loss of data,” and a “lack of basic, commonplace security measures,” adding: “deficiencies in [the company’s] technical and organisational measures created real risks of such data breaches,” especially after an external review in May 2017 found the company’s point of sale terminals were vulnerable to attack, could not be relied upon, and may have lacked compliance with industry standards.

Lawyers—as well as the regulator—have suggested the company was lucky to have detected the cyber-attack one month before the EU’s General Data Protection Regulation (GDPR) arrived, whereby fines can be set as high as 4 percent of annual turnover. Christine Andrews, director of data protection at privacy consultancy DQM GRC, estimates—based on Dixons Carphone’s 2018 revenues of £10.5bn (U.S. $14 billion)—the fine under the GDPR could have been as high as £420 million ($549 million).

Instead, the ICO could only issue a penalty under the previous Data Protection Act, with fines limited to a maximum of £500,000 (U.S. $650,000), as happened with Facebook in October 2018.

“The sad thing is that there really isn’t anything particularly remarkable about this case: It’s just the latest example of a big and well-resourced business being bad at security.”

Dan Hedley, Partner, Irwin Mitchell

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation,” said Steve Eckersley, the ICO’s director of investigations, adding “the fine would inevitably have been much higher under the GDPR.”

In January 2018, the regulator fined Carphone Warehouse, part of the same group, £400,000 (U.S. $522,000) for similar security vulnerabilities—“one of the highest fines the ICO had ever issued at the time,” says Gareth Oldale, a partner at U.K. law firm TLT.

Some commentators argue the penalty its subsidiary received may have prompted Dixons to do the review leading to the breach’s discovery just three months later—a move that has probably saved it millions of pounds. In previous cases—namely British Airways (BA)—the ICO has made it clear any loss of financial data is likely to compound any financial penalty. Last July, BA was hit with a £183.4 million (U.S. $230 million) penalty for failing to protect the personal and financial data of 500,000 customers.

Lawyers say the case underlines the importance of having adequate security and regular monitoring—and larger companies will be hit harder for bigger failings.

“The sad thing is that there really isn’t anything particularly remarkable about this case: It’s just the latest example of a big and well-resourced business being bad at security,” says Dan Hedley, a partner at law firm Irwin Mitchell. “At the risk of stating the obvious, if a business is sitting on large amounts of people’s data, it really just needs to get at least the basics of security right.”