The Information Commissioner’s Office (ICO) has issued Carphone Warehouse with a £400000 fine- one of the largest fines to date.
In 2015 Carphone Warehouse had their computer systems hacked: enabling unauthorised access to the personal data of over three million customers and 1000 employees.
Using valid login credentials, intruders were able to access their system via out of date WordPress software. The software was found to be 6 years out of date!
Due to their failure to secure their systems, personal data including: names, addresses, dates of birth, phone numbers and marital status were compromised. Additionally, the historical payment card details of more than 18000 customers.
The impact of the breach on the individuals’ involved is significant and their personal data is at risk of being exploited. Hence the heavy penalty imposed.
Also, multiple inadequacies were identified regarding the organisations approach to data security and Carphone Warehouse had not taken the necessary steps to secure the personal information that they were processing.
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,” said Elizabeth Denham, the information commissioner.
She continued, “Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
Ms Denham explained:
“The law says it is the company’s responsibility to protect customer and employee personal information.”
“There will always be attempts to breach organisations’ systems and cyber-attacks are becoming more frequent as adversaries become more determined.”
“But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees.”
The Carphone Warehouse penalty occurs just months before the enforcement of the EU GDPR.
On 25 May 2018, the General Data Protection Regulation (GDPR) will be enforced. Organisations will need to have the necessary organisational and technical measures in place to protect the personal information that they process.