Attackers have 16-digit card numbers, expiry dates, but not names. Should org get £500k fine?

The UK's data protection watchdog has scored a small win in a lengthy legal battle against a British retail group that lost millions of data records during a 2017 breach.

You can read Lord Justice Warby's decision, handed down yesterday, here [PDF].

The Information Commissioner's Office (ICO) originally fined DSG Retail £500,000 ($673,000) in 2020, the maximum financial penalty allowed under the Data Protection Act 1998 (DPA 1998) – the relevant legislation at the pre-GDPR time.

Its monetary penalty notice (MPN) was upheld by the Court of Appeal's first-tier tribunal but later reversed by the upper tribunal [PDF], which sided with DSG Retail and, if that decision was final, would have effectively nullified the ICO's fine.

Important to the case is the nature of the data that was stolen. Hackers installed malware on 5,390 tills across consumer electronics stores Currys PC World and ...