ICO levies £400,000 fine on Carphone Warehouse following 2015 data breach
ICO levies £400,000 fine on Carphone Warehouse following 2015 data breach

Following a cyber-attack in 2015 that caused a data breach from one of Carphone Warehouse's computers, the company has just been given a £400,000 fine, one of the highest fines for a data-breach in the UK to date.


Due to the company's failure to secure its data adequately, the personal data of more than a million customers and a thousand employees was leaked. As the breach entailed personally identifiable data individual privacy was significantly affected and it was deemed likely that the customers and employees were at risk of having their data misused.


Information Commissioner Elizabeth Denham issued a statement saying: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.


“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”


According to the Information Commissioner's Office the reason that hackers were able to breach Carphone Warehouse so easily is because key parts of its software were out of date hence it was failing to adequately protect its customer and employee information. Also, the company itself had not taken sufficient steps to improve its cyber-security, so with the right credentials, the hackers could get into the system, which is how they performed the cyber-attacked and breached the information.


Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies emailed SC Media UK to comment: "The fine is an important statement by the Information Commissioner.  It shows how highly companies should value the sanctity of their data in an age of massive breaches, especially in the case of a large trusted brand with a big customer database.  

“It is also a shot across the bow of such companies in the run-up to GDPR.  Whilst it is a relatively large headline figure, it is a fraction of what is possible under the new legislation which comes into force on May 25."


Thomas Fischer, global security advocate at Digital Guardian commented to SC Media UK in an email: “To those affected by this incident, a £400,000 fine might be seen as "too little, too late”. When big companies like Carphone Warehouse stand to face such small fines compared to their annual turnover, the incentive to improve security practices just isn't there. It's one thing to fall foul to an advanced attack, but the ICO report makes it clear that Carphone Warehouse failed to complete essential, but fairly routine, patches for the affected WordPress site. Thankfully, the GDPR will start to be enforceable this year and so the days for data protection complacency really are numbered. Businesses like Carphone Warehouse can expect to swap a £400,000 fine for data breaches for one running into the millions.”


Peter Carlisle, VP EMEA, Thales eSecurity agreed and contacted SC Media UK to say that, " ....with the post-breach audit identifying elements of security software being many years out of date, it acts as a reminder to organisations to run a constant health-check on their business, something that remains essential in today's volatile cyber landscape.

"To ensure your organisation is not putting itself in a position of vulnerability, you should ensure you understand the risks to the systems where personal data is processed, stored and also shared. Wherever your data sits in your digital estate, it should be encrypted to the highest level, preparing for the possibility of a cyber-attack, and giving customers the necessary peace of mind."