The misleadingly named Carphone Warehouse has been heavily fined for a data breach that occurred back in 2015.
Hitting it with a £400,000 penalty, the Information Commissioner’s Office (ICO) slammed the high street firm for its ‘systemic failures’ after hackers accessed the names, addresses, phone numbers, birthdays and marital status of over three million customers and 1,000 members of staff.
Worse, around 18,000 customers also had their historic payment card details accessed during the hack.
Unsurprisingly, the ICO surmised that the breach would have a significant impact on the privacy of the affected individuals.
During its investigation, the ICO found ‘multiple inadequacies’ in the company’s approach to data security, and that it had failed to ‘take adequate steps to protect the personal information’.
And how did the crooks do it? They simply used valid login details to access Carphone Warehouse’s system through out-dated WordPress software. Sheesh. (Actually, this blog’s in WordPress so I’d better have a look into this.)
But the breach also revealed other things that the firm was doing poorly, or not at all. Additional ‘important elements’ in its systems were also out of date; it wasn’t carrying out routine security tests; and it didn’t have adequate measures in place keep an eye on and purge historic data.
So, sounds like a big old mess – but perhaps being relieved of £400,000 (incidentally, one of the biggest penalties the ICO has ever dished out) will help tighten things up. Under the forthcoming GDPR, such sloppiness can expect to be hit with far more punitive fines, so it’s unlikely there will be any staff Christmas parties for the next few years if it happens again.
Elizabeth Denham, the Information Commissioner, said: ‘A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
‘Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.’