Three and a Half Pence: The Currys Breach That Took Nine Years to Matter
Three and a Half Pence: The Currys Breach That Took Nine Years to Matter  
Podcast: The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups
Published On: Mon Mar 02 2026
Description: Picture yourself tapping your card at a bustling store, the till chirps, you walk away thinking that’s the end of the story. For millions of Currys' customers, that ordinary moment in 2017 was the opening scene of a nearly decade-long drama that would ripple through courtrooms, regulator offices and countless inboxes. This episode unpeels that story — malware on thousands of point-of-sale terminals, 14 million people exposed, and a legal fight that turned a monumental failure into what worked out as roughly three and a half pence per person under the old law. We set the scene as a crime thriller: silent malware skimming payment data across 5,390 tills for nine months, basic security absent where it mattered most, and a regulator reaching for the only enforcement tool it had under an older statute. Then the plot thickens. DSG fights back, tribunals slice and dice the ICO’s case, and years of appeals stretch this into a slow-motion moral fable about who the system really protects. But this isn’t just legal theatre — it’s human fallout. We follow the people on the receiving end: anxious customers, stalled group claims, and a lone litigant whose attempt at compensation is bounced between courts and stays. By the time the Court of Appeal finally says the obvious — a retailer that can link card numbers to people must treat them as personal data — most victims are already out of time to sue. The episode shows how the machinery of justice can leave ordinary people stranded. Alongside the outrage, we pull apart the courtroom arguments that nearly let a multinational off the hook: the dangerous idea of judging identifiability from a hacker’s viewpoint, and the peril of treating data fragments as harmless. The Court of Appeal’s eventual clarity is legally important, but the delay exposes a chilling truth — if you’ve got deep pockets, you can litigate and wait out consequences while victims go uncompensated. This is also a playbook episode for anyone who runs a small or mid-sized business. We translate the Court of Appeal’s ruling into a simple controller’s-eye test you can run on Monday morning: if you, as the organisation, can link data to a person, it’s personal and worth protecting. From that test we give concrete, low-cost actions: map your data, cut unnecessary access, name who watches your logs, patch and MFA the essentials, and keep a one-page accountability pack that proves you took reasonable steps. We don’t just point fingers — we hand you a route out. The Currys' saga becomes the cautionary tale that makes the normal business case for basics suddenly urgent: monitoring that notices intrusions, access reviews that kill zombie accounts, and documentation that shows you’re not winging it. Do these things and you move from case study risk to trusted steward of customer data. Finally, the episode is a story of how law, business and people collide — a vivid reminder that prevention matters more than litigation, and that the protections for customers are only as strong as the choices organisations make before the breach. Tune in to feel the outrage, understand the legal twists, and walk away with practical steps to stop your business from becoming headline fodder nine years from now.