The breach, which took place between July 2017 and April 2018, was uncovered one month before the implementation of the EU’s General Data Protection Regulation, under which the retailer’s fine could have been as much as £420 million ($549 million).
Steve Eckersely, the ICO’s director of investigations, said the security lapses at Dixons Carphone were “so serious” that the company got the maximum penalty under the older Data Protection Act, but that “the fine would inevitably have been much higher under the GDPR.”