Carphone Warehouse fined £400,000 over 2015 cyber-attack
The Information Commissioner’s Office has issued the fine to Carphone Warehouse, owned by Dixons Carphone, after one of its computer systems was compromised during a cyber-attack in 2015.
Its failure to secure systems meant unauthorised access to the personal data of over three million customers and 1,000 employees. Names, addresses, phone numbers, dates of birth, marital status, and for more than 18,000 customers, historical payment card details were also accessed.
The ICO found that hackers were able to access the system via out-of-date WordPress software and as such, the data breach “would significantly affect individuals’ privacy”, leaving their data at risk of being misused.
Following its investigation, it identified “multiple inadequacies” in Carphone Warehouse’s approach to data security and said it had failed to take necessary steps to protect personal information. Further, the software in systems were found to be out of date and the ICO said there were also inadequate measures in place to identify and purge historic data.
It said this was a “serious contravention”, though the ICO acknowledged that Carphone Warehouse took action to fix some of the problems to protect those affected, and to date, there has been no evidence that the data has resulted in identity theft or fraud.
Information commissioner Elizabeth Denham, said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
A Carphone Warehouse spokesperson said it will pay a fine of £320,000, which includes a 20% reduction for early payment (by 7 February 2018).
They added: “We accept the decision by the ICO and have co-operated fully throughout its investigation into the illegal cyberattack on a specific system within one of Carphone Warehouse’s UK divisions in 2015.
“As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted there was no evidence of any individual data having been used by third parties.
“Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes. We are very sorry for any distress or inconvenience the incident may have caused.”