Three and a Half Pence: The Currys Breach That Took Nine Years to Matter

Episode notes

Picture yourself tapping your card at a bustling store, the till chirps, you walk away thinking that’s the end of the story. For millions of Currys' customers, that ordinary moment in 2017 was the opening scene of a nearly decade-long drama that would ripple through courtrooms, regulator offices and countless inboxes. This episode unpeels that story — malware on thousands of point-of-sale terminals, 14 million people exposed, and a legal fight that turned a monumental failure into what worked out as roughly three and a half pence per person under the old law. We set the scene as a crime thriller: silent malware skimming payment data across 5,390 tills for nine months, basic security absent where it mattered most, and a regulator reaching for the only enforcement tool it had under an older statute. Then the plot thickens. DSG fights back, tribunals slice and dice the ICO’s case, and years of appeals stretch this into a slow-motion moral fable about who the system really protects. But this isn’t just legal theatre — it’s human fallout.