Carphone Warehouse hit with £400k fine for 2015 data breach

The ICO says there were "systemic failures" in the company's data protection procedures

The Information Commissioner's Office (ICO) has slapped high-street mobile phone retailer Carphone Warehouse with a 400,000 fine for failing to adequately protect customer data, resulting in a data breach in 2015.

According to the data protection regulator, the firm failed to implement sufficient infrastructure, follow correct procedures, and adhere to protections outlined in the Data Protection Act, in order to avoid a catastrophic loss of data.

Cyber crooks were able to get into the company's systems and access the personal data of millions of customers in an attack described as "sophisticated" at the time.

The attack affected more than three million customers and 1,000 employees, with the attackers accessing information such as names, birth dates, addresses and bank details.

Advertisement
Advertisement - Article continues below

Carphone warehouse was responsible for a range of "systemic failures" that led to the data attack, said the ICO, when it slapped the company with the hefty fine.

After the ICO learnt about the Carphone Warehouse breach, it opened a comprehensive investigation to figure out how the attack happened and the company's wrongdoing. In total, it discovered 11 issues.

The tech firm relied on software that was out of date, and it lacked "rigorous controls" over who could access customer data. Investigators also found that the firm was relying on the same root password for multiple servers.

The ICO said there were "distinct and significant inadequacies in the security arrangements" and said the firm failed to implement " basic, commonplace measures".

It said that as a major "data controller", the Carphone Warehouse should have used systems to comply with "the data protection principles".

One of the rules makes it clear that companies must "take responsible steps to ensure the reliability of any employees" with access to customer data.

And with regards to infrastructure, firms have to ensure that they are using data protection hardware that provides "sufficient guarantees in respect to technical and organisational security".

In 2016, the ICO issued the same fine to TalkTalk when a hacker was able to access the personal data of more than 150,000 customers.

Information Commissioner Elizabeth Denham said: "A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

"Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures."

Advertisement
Advertisement - Article continues below

Carphone Warehouse also responded, saying: "We accept today's decision by the ICO and have co-operated fully throughout its investigation into the illegal cyber-attack on a specific system within one of Carphone Warehouse's UK divisions in 2015.

"As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties."

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said that firms need to do more to protect personal data and that they could face even bigger fines when GDPR comes into force.

"The fine is an important statement by the Information Commissioner. It shows how highly companies should value the sanctity of their data in an age of massive breaches, especially in the case of a large trusted brand with a big customer database," said Galloway.

"It is also a shot across the bow of such companies in the run-up to GDPR. While it is a relatively large headline figure, it is a fraction of what is possible under the new legislation which comes into force on May 25."

The ICO currently has a cap on the maximum fine it's able to levy, set at 500,000. However, had the data breach happened under the regulatory framework of GDPR, Carphone Warehouse may have been liable for a fine of up to 20million, or 4% of global turnover.

In 2008, Carphone Warehouse received a warning from the ICO over its handling of customer data, after the company opened accounts with the wrong names and sent incorrect sensitive data to credit agencies and debt collectors.

Image: Shutterstock

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019