Carphone Warehouse has been handed a £400,000 fine - just shy of the £500,000 maximum permissible by law - by the Information Commissioner's Office (ICO) over the 2015 data breach that saw the theft of 2.4 million customers' personal details.
News that ne'er-do-wells had made off with a database of Carphone Warehouse, OneStopPhoneShop.com, E2Save.com, Mobiles.co.uk, id Mobile, TalkTalk Mobile, and Talk Mobile broke back in August 2015. 'We took immediate action to secure these systems and launched an investigation with a leading cyber security firm to determine exactly what data was affected,' a Carphone Warehouse spokesperson said at the time, before announcing that the attack had resulted in the names, addresses, dates of birth, bank details of 2.4 million customers being copied, alongside 90,000 encrypted credit card numbers.
A breach of this magnitude attracts regulatory attention, and the Information Commission's Office (ICO) has finally completed its investigation into the breach. The result: a whopping £400,000 fine, four-fifths of the maximum penalty allowed by law.
'A company as large, well-resourced, and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,' says Information Commissioner Elizabeth Denham of the fine. 'Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.
'The real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder The law says it is the company's responsibility to protect customer and employee personal information. Outsiders should not be getting to such systems in the first place. Having an effective layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in. There will always be attempts to breach organisations’ systems and cyber-attacks are becoming more frequent as adversaries become more determined. But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees.'
The ICO's ruling identified 'multiple inadequacies' in the company's data security procedures including failing to keep its software up-to-date, failing to carry out routine security tests, and not bothering to identify and purge historic data - all told a 'serious contravention of Principle 7 of the Data Protection Act 1998'.