Carphone Warehouse has been fined £400 000 by the Information Commissioner's Office (ICO), after serious security failures put the data of its customers and staff at risk.
The breach that occurred as a result of a cyber attack in 2015, happened because the company failed to properly secure its systems. It enabled the unauthorised access to the personal data of over three million customers and 1 000 employees, including the names, addresses, phone numbers, dates of birth, and marital status. For over 18 000 customers, it also included historical payment card details.
Inadequate security measures
According to the ICO - the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals - the personal data exposed could have a significant effect on individuals' privacy, as their data could be misused.
ITWeb Security Summit 2018
Registration is open for the ITWeb Security Summit 2018, being held in Johannesburg on 22 and 23 May and in Cape Town on 28 and 29 May. This is the must-attend annual event for information security professionals, featuring international speakers, workshops, as well as a beginners' guide to cyber security. Click here.
Elizabeth Denham, an Information Commissioner, said that any company as large, well-resourced, and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring they were robust and not vulnerable to such attacks.
Instead, following a lengthy and detailed investigation, the ICO found that Carphone Warehouse had failed to take adequate steps to protect personal information. "Carphone Warehouse should be at the top of its game when it comes to cyber security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures," said Denham.
The breach also highlighted major flaws in the company's technical security measures, such as out of date software being used on the systems, inadequate measures to identify and get rid of historic data, and that the company didn't carry out routine security testing.
No evidence of misuse - yet
In a statement, Carphone Warehouse said: "We accept today's decision by the ICO and have co-operated fully throughout its investigation into the illegal cyber attack on a specific system within one of Carphone Warehouse's UK divisions in 2015.
"As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties."
'This fine is peanuts'
Ilia Kolochenko, CEO of Web security company High-Tech Bridge, says that despite seeming like a relatively large fine, the amount represents a mere £7.50 per breached record.
As the records breached contained very sensitive data, the damages suffered by the victims may be far more egregious, and could last for the next few years as attackers are likely to continuously use and reuse the compromised data. "Exacerbated by the alleged 'systematic failures' to implement commonly accepted standards of data protection, this fine is peanuts," he says.
Kolochenko adds that with the impending enforcement of General Data Protection Regulation in May, similar negligence may cost tremendously more and lead to bankruptcy of companies that fail to ensure a decent level of cybersecurity and privacy.
Share