ICO slaps Carphone Warehouse with £400,000 fine for failing to prevent 2015 mega-hack
UK PHONE FLOGGER Carphone Warehouse has been slapped with a £400,000 fine following a 2015 hack that exposed the data of more than three million customers and 1,000 staffers.
The fine comes courtesy of the Information Commissioner’s Office, naturally, which has ruled that the company failed to adequately secure its systems, enabling intruders to easily access personal data.
While Carphone Warehouse at the time claimed that it takes “the security of customer data extremely seriously”, the high-profile data breach saw hackers make off with customer data including names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, payment card details.
The records for some Carphone Warehouse employees, including name, phone numbers, postcode, and car registration were also accessed.
The ICO has been probing the incident for more than two years, and this week concluded that Carphone Warehouse had “failed to take adequate steps to protect the personal information”.
Intruders able to access the company’s systems via an out-of-date WordPress software using valid log-in details, which the ICO says “exposed” inadequacies in the organisation’s technical security measures.” For example, elements of the software in use on the systems affected were out of date and the company failed to carry out routine security testing.
There were also inadequate measures in place to identify and purge historic data, which the ICO claims to be “a serious contravention” of Principle 7 of the Data Protection Act 1998.
Information Commissioner Elizabeth Denham said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
However, Denham also acknowledges that while Carphone’s lax security measures were to blame for the data breach, there has been no evidence that the data has resulted in identity theft or fraud.
Carphone Warehouse, which tells us that it’ll only have to hand over £320,000 due to early payment, said in a statement sent to INQ: “We accept today’s decision by the ICO and have co-operated fully throughout its investigation into the illegal cyberattack on a specific system within one of Carphone Warehouse’s UK divisions in 2015.
A”s the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties.
“Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes.
“We are very sorry for any distress or inconvenience the incident may have caused.” µ