UK Court Confirms Security Measures Required Regardless Of Identifiability To Cyber-Attackers

On February 19, 2026, the UK Court of Appeal allowed the UK Information Commissioner's Office's ("ICO") appeal against an Upper Tribunal decision in the long-running DSG Retail Ltd v Information Commissioner case. The Court ruled that data controllers must safeguard personal data from unauthorized processing based on whether the controller, rather than third parties, can identify the individuals.

The case arose from a large cyber-attack on the payment systems of DSG Retail (which operated a large chain of consumer electronics stores) between 2017 and 2018. Malware was installed on store tills and remained undetected for nine months, allowing attackers to capture payment card data during transactions. The stolen information consisted only of the card number and expiry date, without names or other identifying details. The ICO fined DSG £500,000 (the maximum penalty under the data protection law in force at the time) for failing to implement appropriate technical and organizational measures to protect personal data. DSG argued that because the attackers could not identify individuals from the data obtained, the information was not "personal data" in the attackers' hands, and therefore the security obligation did not apply. While this argument failed at the First-tier Tribunal, it was accepted by the Upper Tribunal on DSG's appeal.

The Court overturned the Upper Tribunal decision and allowed the ICO's appeal, holding that data protection law defines personal data from the controller's perspective, not that of the attacker. As such, the duty to implement appropriate security measures applies to all personal data that the controller holds, even against threats where the attacker cannot identify the individual. The Court also warned that adopting the third-party perspective would create gaps in the protection of personal data, undermining the objectives of data protection law. The case was remitted to the First-tier Tribunal for reconsideration of the monetary penalty.

Takeaway: The Court's decision provides a welcome clarification that it is the controller's perspective which matters in determining whether the duty to implement security measures applies. This also aligns with the recent EU decision in SRB v EDPS which held that a controller's obligations must be assessed from the controller's perspective at the relevant time. The Court pointed out that it would be an odd result if a controller could avoid having to implement security measures to protect data on the basis that it wouldn't be identifiable to an attacker. However, the ability of an attacker to identify the relevant individuals is still a critical factor in considering what security measures are needed and also in the context of the aftermath of a cyberattack (e.g. for purposes of breach notification requirements) whether a third party could take malicious action. What is the real-world risk caused by disclosure of "personal data" if it cannot be tied back to any individual?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.