10 January 2018
The Carphone Warehouse has been fined £400,000 by the Information Commissioner’s Office (ICO) for what was described as “serious failings” that placed customer and employee data at risk.
The retailer was issued with the penalty after one of its computer systems was compromised as a result of a cyber attack in 2015.
According to the ICO, Carphone Warehouse’s failure to secure the system allowed unauthorised access to the personal data of more than three million customers and 1,000 employees.
It said the compromised customer data included names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details.
The records for some employees, including name, phone numbers, postcode and car registration, were also accessed.
The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving their data at risk of being misused.
Information Commissioner Elizabeth Denham said: “A company as large, well-resourced and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring [that they] were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
Following a detailed investigation, the ICO said it identified multiple inadequacies in the firm’s approach to data security and determined it had failed to take adequate steps to protect the personal information.
The ICO found that intruders were able to use valid login credentials to access the system via out-of-date WordPress software.
It added that the incident also exposed inadequacies in The Carphone Warehouse’s technical security measures.
The commissioner said important elements of the software in use on the systems affected were out of date and that the company failed to carry out routine security testing.
There were also inadequate measures in place to identify and purge historic data.
Denham acknowledged that The Carphone Warehouse had taken steps to fix some of the problems and protect those affected.
She also said that while there has been no evidence that the data breach has resulted in identity theft or fraud, outsiders should not have been able to get into such systems in the first place.
“Having an effective layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in,” said Denham.
“Companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees.”
The Carphone Warehouse’s penalty ranks alongside the current record for the biggest fine so far issued by the ICO. In May 2017, marketing company Keurboom Communications was also ordered to pay £400,000 for making more than 99 million nuisance phone calls.
Commenting on the ICO’s latest action, Andy Norton, director of threat intelligence specialist Lastline, said the amount could have been much bigger.
“With a revenue of just over £10 billion pounds, Carphone Warehouse could have been fined up to £400 million if the ICO had imposed the maximum fine of four per cent of revenue under GDPR guidance.
“Clearly the ICO is signalling that its own internal view of data breach fines is not in line with European GDPR thinking. After May 25, the imposition of mandatory heavy fines will go a long way to ensure that our personal data is protected.”