Carphone Warehouse hit with £400k fine for 2015 data breach

The ICO says there were "systemic failures" in the company's data protection procedures

The Information Commissioner's Office (ICO) has slapped high-street mobile phone retailer Carphone Warehouse with a 400,000 fine for failing to adequately protect customer data, resulting in a data breach in 2015.

According to the data protection regulator, the firm failed to implement sufficient infrastructure, follow correct procedures, and adhere to protections outlined in the Data Protection Act, in order to avoid a catastrophic loss of data.

Advertisement - Article continues below

Cyber crooks were able to get into the company's systems and access the personal data of millions of customers in an attack described as "sophisticated" at the time.

The attack affected more than three million customers and 1,000 employees, with the attackers accessing information such as names, birth dates, addresses and bank details.

Carphone warehouse was responsible for a range of "systemic failures" that led to the data attack, said the ICO, when it slapped the company with the hefty fine.

After the ICO learnt about the Carphone Warehouse breach, it opened a comprehensive investigation to figure out how the attack happened and the company's wrongdoing. In total, it discovered 11 issues.

The tech firm relied on software that was out of date, and it lacked "rigorous controls" over who could access customer data. Investigators also found that the firm was relying on the same root password for multiple servers.

Advertisement - Article continues below
Advertisement - Article continues below

The ICO said there were "distinct and significant inadequacies in the security arrangements" and said the firm failed to implement " basic, commonplace measures".

It said that as a major "data controller", the Carphone Warehouse should have used systems to comply with "the data protection principles".

One of the rules makes it clear that companies must "take responsible steps to ensure the reliability of any employees" with access to customer data.

And with regards to infrastructure, firms have to ensure that they are using data protection hardware that provides "sufficient guarantees in respect to technical and organisational security".

In 2016, the ICO issued the same fine to TalkTalk when a hacker was able to access the personal data of more than 150,000 customers.

Information Commissioner Elizabeth Denham said: "A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

Advertisement - Article continues below

"Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures."

Carphone Warehouse also responded, saying: "We accept today's decision by the ICO and have co-operated fully throughout its investigation into the illegal cyber-attack on a specific system within one of Carphone Warehouse's UK divisions in 2015.

"As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties."

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said that firms need to do more to protect personal data and that they could face even bigger fines when GDPR comes into force.

Advertisement - Article continues below

"The fine is an important statement by the Information Commissioner. It shows how highly companies should value the sanctity of their data in an age of massive breaches, especially in the case of a large trusted brand with a big customer database," said Galloway.

"It is also a shot across the bow of such companies in the run-up to GDPR. While it is a relatively large headline figure, it is a fraction of what is possible under the new legislation which comes into force on May 25."

The ICO currently has a cap on the maximum fine it's able to levy, set at 500,000. However, had the data breach happened under the regulatory framework of GDPR, Carphone Warehouse may have been liable for a fine of up to 20million, or 4% of global turnover.

In 2008, Carphone Warehouse received a warning from the ICO over its handling of customer data, after the company opened accounts with the wrong names and sent incorrect sensitive data to credit agencies and debt collectors.

Image: Shutterstock

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The best server solution for your SMB

26 Jun 2020