The UK’s information regulator issued Carphone Warehouse with a hefty fine as a result of a 2015 cyberattack.
Mobile retail firm Carphone Warehouse must pay a massive £400,000 fine after security failings in the company saw a hack compromise the data of approximately 3m customers and 1,000 employees.
It is one of the largest fines ever issued by the Information Commissioner’s Office (ICO).
Vast quantities of data compromised
The data compromised in 2015 was extensive as names, addresses, dates of birth, marital status and phone numbers were all leaked. 18,000 of the customers also had their historical payment card details compromised.
Information commissioner Elizabeth Denham admonished the company, saying that a business as “large, well resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks”.
She described the ICO’s findings as concerning, with apparent systemic failures relating to rudimentary and commonplace security measures.
Hackers were able to use valid login credentials to access Carphone Warehouse’s system via an out-of-date version of WordPress. The ICO found that the company had many out-of-date software elements and that routine security tests were not carried out.
The identification and purging of historic data was also found to be at an inadequate level, considered by the ICO as a contravention of principle seven of the UK Data Protection Act of 1998.
A spokesperson for the company said Carphone Warehouse had cooperated in full with the ICO, and had moved swiftly to put additional security measures in place, informing the ICO and potentially affected customers and staff.
The spokesperson also said that since the attack, the company has been working extensively with cybersecurity firms to “improve and upgrade our security systems and processes”.
GDPR will see stricter punishments
With the GDPR on the way, fines from EU data protection regulators are set to dramatically increase, so companies will be wary of a potential fallout if they have any underlying data issues.
Data protection by design is also a key element of the GDPR, and strong IT governance and information security measures must be tested in order to comply.
Denham concluded: “The real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder.
“The law says it is the company’s responsibility to protect customer and employee personal information.
“Outsiders should not be getting to such systems in the first place. Having an effective, layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in.”