Digital Audit: Currys plc

Audit Phase: Digital (Digital / Technology Forensics) Subject Entity: Currys plc (LSE: CURY) Registered Address: 1 Portal Way, London W3 6RS, United Kingdom Audit Date: June 2026 Evidence Base: Published corporate disclosures, vendor press releases and case studies, trade and technology press, biometric-policy reporting, and UK regulatory/court records. All factual claims are drawn from publicly available sources cited in the End Notes.

Scope and directionality note: Digital assesses the digital/technology nexus to Israel. The serious case is the provision of surveillance, digital, data, or cyber technology to the Israeli state, military, or security services. The reverse direction - Currys procuring technology from Israeli-origin or Israel-linked vendors - is a customer relationship and is recorded explicitly as such, weighted far lower than provision. No transitive guilt is imputed: a vendor’s other clients, its founders’ backgrounds, or a parent group’s separate activities are not attributed to Currys. US-entity relationships (e.g. Microsoft, Salesforce, Stripe, Databricks) are not Israeli-origin and are noted only for completeness, including where such a US vendor maintains an office in Israel.

Enterprise Technology Stack & Vendor Relationships

Strategic Technology Partnerships (Direction: Currys as customer)

In May 2024 Currys announced it had selected Accenture and Microsoft (both US-headquartered entities) to deliver its core cloud infrastructure and accelerate adoption of generative AI.¹² The programme migrates nine of Currys’ existing data centres - more than 2,000 servers and over 200 applications - to Microsoft Azure, with Avanade (the Accenture–Microsoft joint venture) working alongside Accenture to modernise and secure the estate; Currys will deploy Microsoft AI technologies including Azure OpenAI Service.¹³ Group CEO Alex Baldock was quoted on the partnership.¹ The migration was targeted for completion by October 2025, with the majority of workloads on Azure and a small number on other cloud providers.³ This is a procurement relationship with US vendors and is recorded for completeness only; it is not an Israeli-origin vendor relationship.

Currys also runs digital-transformation and CRM workloads on Salesforce (US-origin), having re-platformed its website on Salesforce Commerce Cloud and deployed Service Cloud and MuleSoft.⁴ LTIMindtree (India-headquartered) acts as Currys’ core digital-transformation and systems-integration partner on the Salesforce estate under a multi-year engagement begun in 2021.⁵ Currys has publicly described use of the Databricks Data Intelligence Platform (US-origin, San Francisco) for machine-learning, pricing and analytics workloads.⁶ No public evidence was identified that the Accenture, Salesforce, LTIMindtree, or Databricks engagements mandated or deployed Israeli-origin technology within Currys programmes.

Israeli-Origin / Israel-Linked Technology Vendors in the Currys Stack (Direction: Currys as customer)

Two vendors with Israeli founding heritage or substantial Israeli operations are documented in public sources as suppliers to Currys. In both cases the direction is Currys as the customer procuring a commercial product - not Currys providing technology to any Israeli entity.

Verint Systems - Verint published case-study material naming Currys (and its predecessor Dixons Carphone) as a customer for its Queue Management software supporting curbside/Buy-Online-Pick-up-In-Store check-in across Currys stores.⁷⁸ Verint is headquartered in Melville, New York, and is a US-incorporated company, but it has Israeli founding heritage (originating from Comverse) and retains a significant R&D centre of around 200 staff in Herzliya, Israel.⁹¹⁰ In February 2021 Verint completed the spin-off of its intelligence/cyber business as Cognyte Software Ltd (Nasdaq: CGNT), an Israel-registered entity; post-spin-off Verint trades as a pure-play customer-engagement vendor while the defence/intelligence activities sit in the separate Cognyte company.¹¹⁹ The Currys relationship is with the customer-engagement Verint entity. Currys is the customer; Verint is the vendor.

Centrical (Centrical, previously GamEffective) - Centrical’s 2025 Customer SELECT Award materials name Currys as a customer, citing deployment of its AI-powered workforce performance-management, learning and coaching platform at Currys’ Loughborough contact centre.¹²¹³ Centrical was founded in 2013 by Gal Rimon and maintains its principal offices in New York and Israel.¹⁴ Currys is the customer; Centrical is the vendor.

Both of these are procurement (inbound) relationships. Neither involves Currys supplying technology, data, or services to Israel.

Israeli-Origin Cybersecurity Vendors

No public evidence was identified confirming that Currys holds a licensing, subscription, or integration relationship with any Israeli-origin cybersecurity vendor - including Check Point, Wiz, CyberArk, SentinelOne, Claroty, or NICE Systems. Searches of vendor materials, trade press, and news databases surfaced no Currys deployment of any such product; inter-vendor partnership announcements among these firms do not evidence a Currys procurement relationship.¹⁵ No public evidence identified.

US Payment & QA Vendors (Direction: Currys as customer)

In December 2025 Currys announced a partnership with Stripe (US/Irish-incorporated) to install thousands of in-store payment terminals across almost 300 UK and Ireland stores, supporting faster transactions, mobile payments and future AI-enabled shopping experiences.¹⁶ Stripe is not an Israeli-origin vendor; the relationship is recorded for completeness only.

Procurement Transparency Constraints

Currys is a private-sector retailer not subject to UK public-procurement disclosure obligations. Vendor relationships below the level of named, publicly announced partnerships are not in the public domain, and the full security/IT vendor stack - including sub-vendors specified by integrators Accenture/Avanade or LTIMindtree - is undisclosed. This is the principal evidence gap in this domain.

Surveillance, Biometrics & Retail Technology

Retail Crime Intelligence - Auror (Direction: Currys as customer; New Zealand-origin)

In July 2025 Currys announced the nationwide roll-out of the Auror retail crime-intelligence and reporting platform across all its UK and Ireland stores, following a 12-week trial in two regions; the trial was credited with identifying repeat offenders, supporting arrests, and averting stock loss.¹⁷¹⁸ Auror is an Auckland, New Zealand-founded company (founded 2012) and is not an Israeli-origin vendor.¹⁹ Currys COO Lindsay Haselhurst was quoted on the deployment.¹⁸ The publicly announced Currys deployment concerns Auror’s crime-reporting/intelligence software, not a facial-recognition module.¹⁸

Facial Recognition - Auror “Subject Recognition” Module

Auror launched a facial-recognition product, “Subject Recognition,” in late 2025, which allows participating retailers to match faces captured in-store against the retailer’s own watchlist of serious repeat offenders.¹⁹²⁰ No public evidence was identified that Currys has activated or deployed the Subject Recognition facial-recognition module; the publicly documented Currys deployment is of Auror’s crime-reporting platform.¹⁷¹⁸ Whether Currys uses the facial-recognition module is not established by public evidence. In any case, Auror is a New Zealand-origin vendor and the Subject Recognition product has no Israel nexus identified in public reporting; no provision of any technology, data, or service to Israel arises from Currys’ Auror relationship.

Israeli-Origin Surveillance / Biometric Vendors

No public evidence was identified that Currys has deployed facial-recognition, biometric, gait-analysis, or in-store behavioural-analytics technology of Israeli origin (e.g. Oosto/AnyVision, Corsight AI, BriefCam, Trigo, Trax). Israeli retail-tech firms in this segment are documented with other clients, but no public source links any of them to Currys. No public evidence identified.

Predictive Analytics, Workforce Monitoring & Social-Media Surveillance

Currys’ documented workforce-monitoring deployment is the Centrical performance-management platform at its Loughborough contact centre (recorded above as a customer relationship).¹² No public evidence was identified of Currys using Israeli-origin predictive-policing, sentiment-analysis, or social-media-monitoring tools.

Third-Party Loss Prevention & Store-Level CCTV Analytics

Currys’ 2025 safety-and-security investment referenced upgraded public display monitors, product-security measures, and increased spend on guarding and surveillance.¹⁷ Third-party loss-prevention or CCTV-analytics sub-contractors used at store level are not publicly itemised, and it cannot be confirmed or excluded from public evidence whether any such sub-contractor deploys Israeli-origin technology within its own platform. No public evidence identified linking any to Currys.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Data Centre Operations in Israel

No public evidence was identified that Currys operates, leases, or co-locates data-centre infrastructure within Israel. Currys’ disclosed cloud strategy centres on Microsoft Azure (a US-entity relationship), migrating nine UK data centres to Azure.¹³

Project Nimbus & Israeli State Cloud Infrastructure

Not applicable. Project Nimbus is the Israeli-government cloud contract awarded to Google Cloud and Amazon Web Services; Currys is neither a participant nor a sub-provider. No public evidence was identified of Currys involvement in any Israeli state-backed digital-infrastructure programme.

US-Vendor Israel Offices - Note for Completeness

Two US-origin vendors in the Currys stack maintain offices in Israel: Databricks operates a Herzliya office (described in reporting as a sales/solutions hub opened 2023), and Microsoft maintains an R&D presence in Israel.⁶²¹ Currys’ contracts are with the respective US/UK parent entities, and no public evidence was identified that Currys data is processed through Israeli-located infrastructure of either vendor; this is recorded as an unresolved line of inquiry, not a finding.

Data-Sovereignty or Resilience Services to Israeli State Institutions

No public evidence identified. Currys does not operate as a technology or cloud-service provider to any state body, Israeli or otherwise.

Defence, Intelligence & Security Sector Technology Relationships

Military & Intelligence Contracts

No public evidence was identified of any contract, partnership, or service agreement between Currys and the Israeli Ministry of Defence, the Israel Defense Forces (IDF), or Israeli intelligence agencies. Currys is a consumer-electronics retailer and does not publicly operate in the defence-technology or security-services sector.

Provision of Technology / Data to the Israeli State or Military

No public evidence was identified of Currys providing surveillance technology, data, software, cloud capacity, or digital services to the Israeli state, military, or security services. This is the directionally serious Digital case, and no qualifying evidence of it was found. No public evidence identified.

Dual-Use Technology Provision

No public evidence was identified of Currys commercial technology being reported or confirmed as deployed for military, intelligence, or law-enforcement surveillance applications in Israel or the Occupied Palestinian Territories.

Offensive Cyber Capability

No public evidence identified. Currys does not develop, license, or sell offensive cyber capability. Currys’ predecessor, DSG Retail (now Currys Group Ltd), was itself the victim of a major cyberattack between July 2017 and April 2018, in which malware installed on point-of-sale terminals compromised payment-card and personal data of millions of customers; this is recorded as factual digital context only and has no nexus to provision of technology to Israel (see Regulatory History below).²²

Currys Geographic Footprint - Israel

Currys operates only in the UK & Ireland and the Nordics (Norway, Sweden, Finland, Denmark and associated franchise territories, trading as Elkjøp).²³ No public evidence was identified of any Currys retail, franchise, or corporate presence in Israel, and therefore no Israeli-operations digital-infrastructure overlap arises. No public evidence identified.

AI, Algorithmic & Autonomous Systems

AI/ML Provision to Israeli State Bodies

No public evidence identified. Currys deploys AI/ML internally (generative-AI via Azure OpenAI, demand forecasting, pricing, contact-centre tooling);¹⁶ no public evidence was identified of Currys providing AI capability, model access, training corpora, or inference services to any Israeli state, military, or security body.

Training Corpora & Model Development Involving Israeli Population Data

No public evidence was identified of Currys contributing to, commissioning, or benefiting from AI model development involving Israeli population datasets. Currys’ disclosed AI activity relates to retail transactional and behavioural data within its UK/Ireland and Nordic markets.⁴⁶

Autonomous Systems & Lethality

No public evidence identified. The development or deployment of autonomous lethal systems is not within Currys’ business domain.

Internal Algorithmic Deployment - Israeli-Origin AI Tooling

Currys’ documented internal generative-AI deployment runs through Microsoft’s Azure OpenAI platform (US-entity).¹ Of the Israel-linked vendors identified in this audit, Centrical supplies AI-powered workforce performance-management as a customer-facing internal tool (Currys as customer).¹² No public evidence was identified of any other Israeli-origin AI vendor embedded in Currys’ stack; the undisclosed full vendor list means secondary embedding within managed services cannot be positively excluded, but no such instance was identified.

Technology Ecosystem & R&D Footprint

Israeli R&D Facilities

No public evidence was identified that Currys operates any R&D facility, engineering office, innovation lab, or accelerator programme within Israel. Currys’ primary markets are the UK & Ireland and the Nordics.²³

Acquisitions & Investments in Israeli Technology Companies

No public evidence was identified of Currys acquiring, or taking a corporate-venture stake in, any Israeli technology company. The Israel-linked vendors identified here (Verint, Centrical) are commercial software suppliers, not Currys investments. No public evidence identified.

Patents & IP Co-Development with Israeli Institutions

No public evidence was identified of patent portfolios, licensing, or co-development arrangements between Currys and Israeli-domiciled entities or research institutions (Technion, Hebrew University, Weizmann Institute).

Supplier Code of Conduct - Technology Supply-Chain Provisions

No public evidence was identified of a Currys technology-supply-chain due-diligence framework specific to the national origin or geopolitical exposure of technology vendors, software suppliers, or digital-infrastructure providers. No public evidence identified.

Civil Society Scrutiny & Regulatory History

NGO & Academic Scrutiny - Technology Supply Chain

No public evidence was identified of an NGO investigation, academic study, or UN report addressing Currys’ technology relationships with the Israeli state, Israeli defence entities, or Israeli-origin vendors. Currys does not appear in the Who Profits Research Centre database or comparable published investigations reviewed in relation to Israel-linked technology procurement. No public evidence identified.

BDS Campaigns

No public evidence was identified of an organised BDS, divestment, or sanctions campaign specifically targeting Currys, whether for technology provision to Israeli state entities or otherwise. Currys does not appear in the BDS Movement priority/pressure target lists or Palestine Solidarity Campaign UK records reviewed. No public evidence identified.

UK ICO & Courts - 2017–2018 DSG Cyberattack & Data Breach

DSG Retail Ltd (now Currys Group Ltd) was the victim of a cyberattack between July 2017 and April 2018 in which malware on more than 5,000 point-of-sale terminals compromised payment-card data and personal records of millions of customers.²² The Information Commissioner’s Office imposed a £500,000 penalty (the maximum under the Data Protection Act 1998) in January 2020 for inadequate security controls.²² The case proceeded through tribunal appeals; in February 2026 the Court of Appeal ruled against DSG, confirming that organisations must protect all personal data regardless of how attackers might exploit it, and remitting the matter to the First-Tier Tribunal.²² This exposure concerns Currys’ posture as the victim of an attack and the adequacy of its data-security controls; it is not connected to any Israeli-origin technology relationship.

UK ICO - Biometric / Facial Recognition

No public evidence was identified that Currys has been the subject of an ICO enforcement action or inquiry relating to facial recognition or biometric data. As recorded above, no public evidence establishes that Currys has activated a facial-recognition (Auror Subject Recognition) capability. No public evidence identified.

Export Controls & Sanctions Authorities

No public evidence was identified of any action by UK export-control authorities, HMRC, the Office of Financial Sanctions Implementation (OFSI), or any equivalent body relating to Currys technology sales, services, or data transfers to Israeli state entities. No public evidence identified.

Regulatory & Legal Actions - Technology Sales to Israeli State Entities

No public evidence identified of any regulatory or legal action relating to Currys technology sales or services to Israeli state entities.

Evidence Gaps

1. Full IT and security vendor stack (highest priority) - As a private retailer, Currys does not publicly disclose its sub-strategic IT and security vendor relationships, including sub-vendors specified by integrators Accenture/Avanade and LTIMindtree. The resident security-product stack is undisclosed, so Israeli-origin cybersecurity vendor exposure cannot be positively excluded on public evidence.

2. Auror facial-recognition activation - Whether Currys has activated Auror’s “Subject Recognition” facial-recognition module (as distinct from the base crime-reporting platform it has publicly rolled out) is not established by public evidence. Auror is in any case a New Zealand-origin vendor with no Israel nexus identified.

3. US-vendor Israel offices - Whether Currys data is processed through the Israel-located offices of US-origin vendors (Databricks Herzliya; Microsoft Israel R&D) is not publicly documented; any such exposure would be indirect.

4. Verint / Centrical data flows - The Verint and Centrical relationships are confirmed as procurement (Currys as customer), but contract scope, data residency, and the extent of processing in each vendor’s Israeli operations are not disclosed.

5. Retail surveillance sub-contractors - Third-party loss-prevention and CCTV-analytics sub-contractors across Currys’ UK/Ireland store estate are not publicly named; Israeli-origin technology embedded within their own stacks cannot be assessed.

End Notes