The UK's data protection watchdog has scored a small win in a lengthy legal battle against a British retail group that lost millions of data records during a 2017 breach.

You can read Lord Justice Warby's decision, handed down yesterday, [1]here [PDF].

The Information Commissioner's Office (ICO) originally fined DSG Retail £500,000 ($673,000) in 2020, the maximum financial penalty allowed under the Data Protection Act 1998 (DPA 1998) – the relevant legislation at the pre-GDPR time.

[2]

Its monetary penalty notice (MPN) was upheld by the Court of Appeal's first-tier tribunal but later [3]reversed by the upper tribunal [PDF], which sided with DSG Retail and, if that decision was final, would have effectively nullified [4]the ICO's fine .

[5]

[6]

Important to the case is the nature of the data that was stolen. Hackers installed malware on 5,390 tills across consumer electronics stores Currys PC World and Dixons Travel, both of which [7]DSG owns.

The malware went unnoticed for nine months, hoovering up 5.6 million payment card details and the personal information belonging to around 14 million people, the ICO confirmed when issuing its MPN.

[8]

Then-commissioner Steve Eckersley said at the time that the ICO's findings were "concerning" and related to "basic, commonplace security measures," that ultimately showed "a complete disregard" for customers' data.

The point of contention, central to the protracted legal case, is whether the card details the attackers scooped up could be used to identify cardholders. The trove of personal data accessed separately from the payment details is not something being debated in this case.

Crucially, the card details involved were the long 16-digit card number and expiry dates, but not the names on the cards.

[9]

DSG argues that this specific aspect of the case does not amount to a personal data breach since the hackers could not identify people from the payment card details alone. DSG acknowledges that it, as an organization, could make the link between the card data and real individuals, but says the attackers could not.

The upper tribunal ruled against [10]the ICO , arguing that the case should be viewed from the perspective of the attackers. If they couldn't use the card data to identify people, then that data should not be considered personal data within the context of a DPA 1998 offense.

Lord Justice Warby concluded on Thursday that this argument was incorrect, siding with the ICO, sending the case back to the first-tier tribunal which ruled correctly in the first instance.

His judgment challenged the upper tribunal's interpretation of the law, saying that personal data must be viewed from the perspective of the controller; if it can lead to the identification of an individual, in this case, at DSG Retail, then it is personal data.

The relevant statute requires data controllers to safeguard this data, regardless of whether a third party could use it to identify individuals.

Lord Justice Warby added that the upper tribunal's thinking could lead to confusing consequences if that was indeed the correct interpretation of the DPA 1998.

The same approach would effectively free data controllers of the burden of protecting data in the event of a ransomware attack, for example, provided the attacker could not use it to identify people.

"It is implicit in the reasoning of the UT, and in DSG's submissions, that such interventions are essentially harmless from the perspective of data subjects, so long as the malicious actor is not able to identify the people to whom the data relate, so that a duty to guard against them would be pointlessly burdensome," Lord Justice Warby ruled. "I do not accept that."

He went on to discuss the possibility of jigsaw identification, whereby attackers could use the vast amounts of personal data that are accessible online, through various sources, as a means to identify the cardholders.

"Technology has vastly increased in sophistication. The ability to locate, assemble, and combine disparate items to elicit information about individuals is greatly enhanced. It will often prove impossible to rule out the risk that unauthorized access to part of a data set, which does not itself identify any individual, could lead to processing by some unknown third party with (legitimate) access to the means of identification."

Now that the Court of Appeal has ruled that DSG had a legal duty to safeguard the payment card data as personal data, the first-tier tribunal will review the case within the context of this judgment.

DSG could appeal the tribunal's decision, sending it back again to the upper tribunal. If disputes remain, it could become a matter for the UK Supreme Court.

[11]Ireland joins regulator smackdown after X's Grok AI accused of undressing people

[12]Warwickshire school to reopen after cyberattack crippled IT

[13]UK watchdog urged to probe GDPR failures in Home Office eVisa rollout

[14]LastPass hammered with £1.2M fine for 2022 breach fiasco

Binnie Goh, general counsel at the ICO, said: "Today's judgment is a significant victory, bringing much-needed clarity for people affected by cyber attacks as well as industry.

"We welcome the CoA's confirmation that organisations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognises that even if hackers can't identify people individually from stolen datasets, cyberattacks can and do still cause real harm.

"With the rising threat of cybercrime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organisations: you have a protective duty to safeguard the personal data you hold."

Curry's PLC, the current trading name of DSG Retail, did not respond to our requests for comment. ®

Get our [15]Tech Resources



[1] https://www.judiciary.uk/wp-content/uploads/2026/02/ICO-v-DSG-2026-EWCA-Civ-140-FINAL-for-hand-down.pdf

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZg-zxlWRpXa-EiSsOkQVgAAAEs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://caselaw.nationalarchives.gov.uk/ukftt/grc/2023/983

[4] https://www.theregister.com/2020/01/09/dixons_store_group_fined_500000_by_ico_for_crap_security_that_exposed_56_millino_customers_payment_cards/?_gl=1*g9yx39*_ga*MTU1NDM0MjA5OS4xNzQ4ODU5MjIz*_ga_JXW44Y23NM*czE3NzE1NzU3ODQkbzE1NiRnMSR0MTc3MTU3NTc5OSRqNDUkbDAkaDA.

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZg-zxlWRpXa-EiSsOkQVgAAAEs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZg-zxlWRpXa-EiSsOkQVgAAAEs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2021/08/04/carphone_dixons_2018_breach_lawsuit_strikeout/

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZg-zxlWRpXa-EiSsOkQVgAAAEs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZg-zxlWRpXa-EiSsOkQVgAAAEs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[10] https://www.theregister.com/2026/02/04/uk_spain_social_media_regulation/

[11] https://www.theregister.com/2026/02/17/ireland_dpc_x_grok_probe/

[12] https://www.theregister.com/2026/01/19/higham_lane_school_reopens/

[13] https://www.theregister.com/2025/12/12/ico_home_office_evisa/

[14] https://www.theregister.com/2025/12/11/lastpass_ico_fine/

[15] https://whitepapers.theregister.com/