Carphone Warehouse have been ordered to pay a fine of £400,000 (over €450,000) to the UK Information Commissioner’s Office, one of the largest fines the ICO has ever issued to a company. A data breach at Carphone Warehouse occurred in 2015, which subsequently led the ICO to investigate the company and discovered a series of “systematic failures” in security practice. The severity of the fine reflected the fact that up to 3 million customers’ data was compromised, in addition to the data of a further 1000 employees. The data itself was also considered extensive by the ICO, as names, addresses, phone numbers, marital status and dates of birth were all leaked. It is further believed that some 18,000 customers had payment card details leaked as well.
The £400,000 fine issued to Carphone Warehouse was one of the largest issued by the ICO. Over 3 million records were compromised in the breach.
In the course of investigating Carphone Warehouse, the ICO found 11 separate counts of security and data protection inadequacies – each of which would have constituted a breach of the Data Protection Act.
“A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,” according to Information Commissioner Elizabeth Denham. “Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
The data breach occurred when cyber criminals were able to access Carphone Warehouse’s internal systems, using valid login credentials on at out-of-date version of WordPress. The breach also affected their online division, which operates the onestopphoneshop.com, e2save.co and mobiles.co.uk websites.
The ICO has stated that Carphone Warehouse had a “number of distinct and significant inadequacies” in its security arrangements, adding that it was “particularly concerning that a number of the inadequacies related to basic, commonplace measures”. Among the issues identified by the ICO were the use of software which was several years out of date, lack of “rigorous controls” over login credentials, a total absence of antivirus software running on the servers which contained the data, the same password being used on multiple servers which was known to “some 30-40 members of staff” and storing complete payment card details with “no good reason” to do so.
An official statement for the company read, “As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes. We are very sorry for any distress or inconvenience the incident may have caused”.
The ICO, along with other data protection bodies in Europe, have been seen to hand down significantly larger fines than usual recently, in suspected anticipation of the GDPR. Last year, telecoms company TalkTalk was issued with a similar €450,000 fine for a data breach. In both cases, the ICO found that data breaches could have been avoided if proper cyber security procedures and data protection controls had been in place. When the GDPR comes into full effect, in May of this year, the maximum fine for a data breach (or non-compliance of the regulation) will be €20 million, or 4% of the company’s global turnover if that figure is higher.
While we don’t expect every data breach to incur a fine in the millions come May, data protections authorities such as the ICO and the Irish DPC have said that they will be taking individual circumstances into account when deciding the size of a fine.
This means that companies who do not have a robust, documented and thoroughly tested cyber security and data protection framework will be fined more than an equivalent incident in which the company has taken the necessary steps to be GDPR compliant. In particular, companies will be required by the regulation to employ “state of the art” technological measures to safeguard data.
Some cyber security measures that we believe will be crucial under the GDPR are ensuring that all staff are trained in security awareness, that antivirus and firewalls are present and are next-generation, that all PCs and servers are patched regularly, and that data is backed up securely and can be restored in the event of an incident.
For more information on how to prepare your business for life under the GDPR, see our IT Essentials GDPR Bundle for small to medium sized businesses.