Should an organisation which is the victim of a successful cyber attack avoid censure for its failure to comply with the seventh data protection principle (under the Data Protection Act 1998, the security duty), if the personal data extracted from their systems was not capable of identification by the attackers? In its judgment of 19 February,(1) DSG Retail Limited v Information Commissioner [2026] EWCA Civ 140 the Court of Appeal was required to grapple with the “surprising” consequences of the Upper Tribunal’s ruling that, under the Data Protection Act 1998 implementing the EU Data Protection Directive (95/46/EC), a data controller was not required to take appropriate technical and organisational measures against unauthorised or unlawful processing of data by a third party, where the data is personal data in the hands of the controller, but not in the hands of the third party.