In 2015, hackers invaded unauthorised access to the personal data of more than three million Carphone Warehouse customers and 1,000 of the organisation’s employees.
Today, the security failing has seen the mobile retailer fined £400,000 by the ICO – one of the largest fines it has ever issued.
The retailer accepted the ICO’s findings and fine, and apologised for any distress it “may have caused”.
The Information Commissioner, Elizabeth Denham, said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.”
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
A statement from the Carphone Warehouse said: “As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues.”
“Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes.”
“We are very sorry for any distress or inconvenience the incident may have caused.”
Despite this being one of the largest fines ever dished out by the ICO, post-GDPR firms can expect much more significant fines for a data breach of this kind.
Indeed, Peter Carlisle, VP EMEA at Thales eSecurity suggests “the introduction of the EU General Data Protection Regulation (GDPR) in less than six months’ time will come as a stern warning to those falling short of having the correct cyber defences in place, should companies fail to meet compliance.”
“Once the GDPR is implemented, any organisation that puts the data of its European customers at risk will not only face eye-watering fines, such as those suffered by Carphone Warehouse, but will also be subject to crippling reputational damage.”
“To ensure your organisation is not putting itself in a position of vulnerability, you should ensure you understand the risks to the systems where personal data is processed, stored and also shared. Wherever your data sits in your digital estate, it should be encrypted to the highest level, preparing for the possibility of a cyber-attack, and giving customers the necessary peace of mind.”
In terms of the size of Carphone Warehouse’s fine, Ilia Kolochenko, CEO of web security company High-Tech Bridge, explains that “despite seeming like a relatively large fine, the amount represents a scanty £7.50 per breached record. With the records breached holding very sensitive data, the damages suffered by the victims may be much bigger, and will likely last for the next few years as attackers are likely to continuously (re)use the compromised data. Exacerbated by the alleged “systematic failures” to implement commonly accepted standards of data protection, this fine is peanuts.”
“With the impending enforcement of GDPR in May, similar negligence may cost tremendously more and lead to bankruptcy of companies who fail to ensure decent level of cyber security and privacy.”