After admitting to a large-scale hack which occurred in 2015, Carphone Warehouse has been fined £400,000 for shocking security failures which lead to valuable customer and employee data being exposed.
This fine is the largest single penalty issued to a company by the industry regulator, the Information Commissioner’s Office (ICO).
The 2015 data breach exposed the personal data of over 3 million customers and 1000 employees to criminals, including names, phone numbers, dates of birth, marital status and payment card details.
The ICO said the leaked info would “significantly affect individuals’ privacy”, and that the exposed data was at “risk of being misused”.
Multiple failings in the data security of Carphone Warehouse were uncovered in the investigation and the ICO concluded that the company had not fulfilled its obligation to effectively protect the data of customers.
Carphone Warehouse is the UK’s largest independent electronics retailer and has around 1,100 high-street stores nationwide.
The Information Commissioner, Elizabeth Denham, gave scathing comments about the case:”A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
The primary point of attack was an out-of-date WordPress site running outdated security software. Once a valid login was obtained, hackers could freely access the current and historical data of thousands of employees and millions of customers. Additional layers of security were also found to be running out-of-date software, as well as exposing the Carphone Warehouse’s lack of checks and tests on their systems.
Speaking to VPNs.co.uk, a spokesperson for Carphone Warehouse said: “We accept the decision by the ICO and have co-operated fully throughout its investigation… we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues.”
The company added that it had agreed early payment on the £400,000 fine, which was then reduced to £320,000.
The ICO investigation also concluded that none of the compromised details have been used in cases of identity theft or fraud.
Beginning on 25 May 2018, stricter rules on data protection will come into effect.
The General Data Protection Regulation (GDPR) is a set of new EU regulations that demand companies take better steps to protect the details of employees and customers. Any companies found to be non-compliant will face ‘heavy fines’.