Carphone Warehouse hit with £400k fine for 2015 data breach

The ICO says there were "systemic failures" in the company's data protection procedures

The Information Commissioner's Office (ICO) has slapped high-street mobile phone retailer Carphone Warehouse with a 400,000 fine for failing to adequately protect customer data, resulting in a data breach in 2015.

According to the data protection regulator, the firm failed to implement sufficient infrastructure, follow correct procedures, and adhere to protections outlined in the Data Protection Act, in order to avoid a catastrophic loss of data.

Cyber crooks were able to get into the company's systems and access the personal data of millions of customers in an attack described as "sophisticated" at the time.

The attack affected more than three million customers and 1,000 employees, with the attackers accessing information such as names, birth dates, addresses and bank details.

Carphone warehouse was responsible for a range of "systemic failures" that led to the data attack, said the ICO, when it slapped the company with the hefty fine.

After the ICO learnt about the Carphone Warehouse breach, it opened a comprehensive investigation to figure out how the attack happened and the company's wrongdoing. In total, it discovered 11 issues.

The tech firm relied on software that was out of date, and it lacked "rigorous controls" over who could access customer data. Investigators also found that the firm was relying on the same root password for multiple servers.

The ICO said there were "distinct and significant inadequacies in the security arrangements" and said the firm failed to implement " basic, commonplace measures".

It said that as a major "data controller", the Carphone Warehouse should have used systems to comply with "the data protection principles".

One of the rules makes it clear that companies must "take responsible steps to ensure the reliability of any employees" with access to customer data.

And with regards to infrastructure, firms have to ensure that they are using data protection hardware that provides "sufficient guarantees in respect to technical and organisational security".

In 2016, the ICO issued the same fine to TalkTalk when a hacker was able to access the personal data of more than 150,000 customers.

Information Commissioner Elizabeth Denham said: "A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

"Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures."

Carphone Warehouse also responded, saying: "We accept today's decision by the ICO and have co-operated fully throughout its investigation into the illegal cyber-attack on a specific system within one of Carphone Warehouse's UK divisions in 2015.

"As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties."

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said that firms need to do more to protect personal data and that they could face even bigger fines when GDPR comes into force.

"The fine is an important statement by the Information Commissioner. It shows how highly companies should value the sanctity of their data in an age of massive breaches, especially in the case of a large trusted brand with a big customer database," said Galloway.

"It is also a shot across the bow of such companies in the run-up to GDPR. While it is a relatively large headline figure, it is a fraction of what is possible under the new legislation which comes into force on May 25."

The ICO currently has a cap on the maximum fine it's able to levy, set at 500,000. However, had the data breach happened under the regulatory framework of GDPR, Carphone Warehouse may have been liable for a fine of up to 20million, or 4% of global turnover.

In 2008, Carphone Warehouse received a warning from the ICO over its handling of customer data, after the company opened accounts with the wrong names and sent incorrect sensitive data to credit agencies and debt collectors.

Image: Shutterstock

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now


Misconfigured Git servers lead to Nissan data leak

Misconfigured Git servers lead to Nissan data leak

7 Jan 2021
BackupAssist teams with Wasabi to offer cheaper backup for businesses

BackupAssist teams with Wasabi to offer cheaper backup for businesses

6 Jan 2021
Data: A resource much too valuable to leave unprotected

Data: A resource much too valuable to leave unprotected

2 Dec 2020
Webhose and Signal Corp boost data breach detection

Webhose and Signal Corp boost data breach detection

7 Oct 2020

Most Popular

WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021