Carphone Warehouse hit with £400k fine for 2015 data breach

The ICO says there were "systemic failures" in the company's data protection procedures

The Information Commissioner's Office (ICO) has slapped high-street mobile phone retailer Carphone Warehouse with a 400,000 fine for failing to adequately protect customer data, resulting in a data breach in 2015.

According to the data protection regulator, the firm failed to implement sufficient infrastructure, follow correct procedures, and adhere to protections outlined in the Data Protection Act, in order to avoid a catastrophic loss of data.

Advertisement - Article continues below

Cyber crooks were able to get into the company's systems and access the personal data of millions of customers in an attack described as "sophisticated" at the time.

The attack affected more than three million customers and 1,000 employees, with the attackers accessing information such as names, birth dates, addresses and bank details.

Carphone warehouse was responsible for a range of "systemic failures" that led to the data attack, said the ICO, when it slapped the company with the hefty fine.

After the ICO learnt about the Carphone Warehouse breach, it opened a comprehensive investigation to figure out how the attack happened and the company's wrongdoing. In total, it discovered 11 issues.

The tech firm relied on software that was out of date, and it lacked "rigorous controls" over who could access customer data. Investigators also found that the firm was relying on the same root password for multiple servers.

Advertisement - Article continues below
Advertisement - Article continues below

The ICO said there were "distinct and significant inadequacies in the security arrangements" and said the firm failed to implement " basic, commonplace measures".

It said that as a major "data controller", the Carphone Warehouse should have used systems to comply with "the data protection principles".

One of the rules makes it clear that companies must "take responsible steps to ensure the reliability of any employees" with access to customer data.

And with regards to infrastructure, firms have to ensure that they are using data protection hardware that provides "sufficient guarantees in respect to technical and organisational security".

In 2016, the ICO issued the same fine to TalkTalk when a hacker was able to access the personal data of more than 150,000 customers.

Information Commissioner Elizabeth Denham said: "A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

Advertisement - Article continues below

"Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures."

Carphone Warehouse also responded, saying: "We accept today's decision by the ICO and have co-operated fully throughout its investigation into the illegal cyber-attack on a specific system within one of Carphone Warehouse's UK divisions in 2015.

"As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties."

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said that firms need to do more to protect personal data and that they could face even bigger fines when GDPR comes into force.

Advertisement - Article continues below

"The fine is an important statement by the Information Commissioner. It shows how highly companies should value the sanctity of their data in an age of massive breaches, especially in the case of a large trusted brand with a big customer database," said Galloway.

"It is also a shot across the bow of such companies in the run-up to GDPR. While it is a relatively large headline figure, it is a fraction of what is possible under the new legislation which comes into force on May 25."

The ICO currently has a cap on the maximum fine it's able to levy, set at 500,000. However, had the data breach happened under the regulatory framework of GDPR, Carphone Warehouse may have been liable for a fine of up to 20million, or 4% of global turnover.

In 2008, Carphone Warehouse received a warning from the ICO over its handling of customer data, after the company opened accounts with the wrong names and sent incorrect sensitive data to credit agencies and debt collectors.

Image: Shutterstock

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020