The UK’s data watchdog has handed mobile phone retailer Carphone Warehouse a £400,000 fine — just shy of the £500k maximum the regulator can currently issue — for security failings attached to a 2015 hack that compromised the personal data of some three million customers and 1,000 employees.
Compromised customer data included: Names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details. While exposed records for some Carphone Warehouse employees, including name, phone numbers, postcode, and car registration details.
Commenting on the penalty in a statement, the UK’s information commissioner Elizabeth Denham said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
The Information Commissioner’s Office (ICO) said it identified “multiple inadequacies” in the company’s approach to data security during its investigation, and determined the company had failed to take adequate steps to protect people’s personal information.
Intruders had been able to use valid login credentials to access Carphone Warehouse’s system via out-of-date WordPress software, the ICO said.
Inadequacies in the organisation’s technical security measures were also exposed by the incident, with important elements of the software in use on the affected systems being out of date and the company failing to carry out routine security testing.
There were also inadequate measures in place to identify and purge historic data, it added.
“There will always be attempts to breach organisations’ systems and cyber-attacks are becoming more frequent as adversaries become more determined. But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees,” said Denham.
“The law says it is the company’s responsibility to protect customer and employee personal information. Outsiders should not be getting to such systems in the first place. Having an effective layered security system will help to mitigate any attack — systems can’t be exploited if intruders can’t get in.”
A Carphone Warehouse spokesman provided the following response statement on the fine:
We accept today’s decision by the ICO and have co-operated fully throughout its investigation into the illegal cyberattack on a specific system within one of Carphone Warehouse’s UK divisions in 2015.
As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties.
Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes.
We are very sorry for any distress or inconvenience the incident may have caused.
In October 2016 the ICO issued a £400k penalty to UK ISP TalkTalk also for a 2015 data breach — though in that instance only around 157,000 customer accounts were affected.
The maximum fine that data protection regulators in the European Union will be able to hand out will step to step up significantly in a matter of months — to £17M or 4 per cent of a company’s annual turnover — as the EU’s General Data Protection Regulation comes into force in May.
As well as inflating the maximum penalties for data protection failures, the GDPR imposes an obligation on companies processing EU citizens’ data to bake in data protection by design.