Carphone Warehouse Breach Results in £400K Fine

Written by

The Carphone Warehouse has become the latest UK firm to be slapped with a massive ICO fine after a 2015 data breach compromised the personal information of millions of customers.

The electronics and mobile phone retailer, owned by Dixons Carphone, was fined £400,000 by the ICO after failing to adequately secure its systems. Hackers accessed data on over three million customers including names, addresses, phone numbers, dates of birth and marital status.

Some 18,000 customers had historical payment details accessed, while 1000 employees had data including name, phone numbers, postcode and car registration exposed to the hackers.

The attackers are said to have accessed the data by using valid log-ins for out-of-date WordPress software.

The ICO claimed Carphone Warehouse failed to delete historical data from its records, carry out routine security testing or keep software up-to-date.

“A company as large, well-resourced, and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,” said information commissioner, Elizabeth Denham, in a statement.

“Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

She added that companies need to put in place layered security to help mitigate growing online threats.

The firm may have been saved from a bigger fine by taking steps to fix some of the problems identified, and because the data has not yet resulted in any identity fraud.

The fine puts Carphone Warehouse up there with TalkTalk in terms of the largest ever penalties levied.

The ISP was slapped with a £400,000 penalty after a 2015 breach but then received a further £100,000 for a separate issue relating to data access by a third-party supplier.

Carphone Warehouse would most likely have been hit with an even bigger fine had the incident occurred after May 25, when the GDPR comes into force. It will give the ICO and other regulators around Europe the power to fine organizations up to 4% of global annual turnover, or £17m.

What’s hot on Infosecurity Magazine?