Carphone Warehouse hit with £400k fine for 2015 data breach

The Information Commissioner's Office (ICO) has slapped high-street mobile phone retailer Carphone Warehouse with a 400,000 fine for failing to adequately protect customer data, resulting in a data breach in 2015.

According to the data protection regulator, the firm failed to implement sufficient infrastructure, follow correct procedures, and adhere to protections outlined in the Data Protection Act, in order to avoid a catastrophic loss of data.

Cyber crooks were able to get into the company's systems and access the personal data of millions of customers in an attack described as "sophisticated" at the time.

The attack affected more than three million customers and 1,000 employees, with the attackers accessing information such as names, birth dates, addresses and bank details.

Carphone warehouse was responsible for a range of "systemic failures" that led to the data attack, said the ICO, when it slapped the company with the hefty fine.

After the ICO learnt about the Carphone Warehouse breach, it opened a comprehensive investigation to figure out how the attack happened and the company's wrongdoing. In total, it discovered 11 issues.

The tech firm relied on software that was out of date, and it lacked "rigorous controls" over who could access customer data. Investigators also found that the firm was relying on the same root password for multiple servers.

The ICO said there were "distinct and significant inadequacies in the security arrangements" and said the firm failed to implement " basic, commonplace measures".

It said that as a major "data controller", the Carphone Warehouse should have used systems to comply with "the data protection principles".

One of the rules makes it clear that companies must "take responsible steps to ensure the reliability of any employees" with access to customer data.

And with regards to infrastructure, firms have to ensure that they are using data protection hardware that provides "sufficient guarantees in respect to technical and organisational security".

In 2016, the ICO issued the same fine to TalkTalk when a hacker was able to access the personal data of more than 150,000 customers.

Information Commissioner Elizabeth Denham said: "A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

"Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures."

Carphone Warehouse also responded, saying: "We accept today's decision by the ICO and have co-operated fully throughout its investigation into the illegal cyber-attack on a specific system within one of Carphone Warehouse's UK divisions in 2015.

"As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties."

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said that firms need to do more to protect personal data and that they could face even bigger fines when GDPR comes into force.

"The fine is an important statement by the Information Commissioner. It shows how highly companies should value the sanctity of their data in an age of massive breaches, especially in the case of a large trusted brand with a big customer database," said Galloway.

"It is also a shot across the bow of such companies in the run-up to GDPR. While it is a relatively large headline figure, it is a fraction of what is possible under the new legislation which comes into force on May 25."

The ICO currently has a cap on the maximum fine it's able to levy, set at 500,000. However, had the data breach happened under the regulatory framework of GDPR, Carphone Warehouse may have been liable for a fine of up to 20million, or 4% of global turnover.

In 2008, Carphone Warehouse received a warning from the ICO over its handling of customer data, after the company opened accounts with the wrong names and sent incorrect sensitive data to credit agencies and debt collectors.

Image: Shutterstock

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, the Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan. You can follow Nicholas on Twitter.