Carphone Warehouse has been fined £400,000 by the Information Commissioner’s Office (ICO), after one of the retailer’s computer systems was compromised as a result of a cyber-attack in 2015. The UK data protection regulator said that the company’s failure to secure the system allowed unauthorised access to the personal data of over three million customers and 1,000 employees.
That compromised customer data included: names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details. The records for some Carphone Warehouse employees, including name, phone numbers, postcode, and car registration were also accessed. The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving their data at risk of being misused.
Information Commissioner Elizabeth Denham said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
In what the regulator called a detailed investigation, the ICO identified multiple inadequacies in Carphone Warehouse’s approach to data security and determined that the company had failed to take adequate steps to protect the personal information. Using valid login credentials, intruders were able to access the system via an out-of-date WordPress software. The regulator said that the incident also exposed inadequacies in the organisation’s technical security measures. Important elements of the software in use on the systems affected were out of date and the company failed to carry out routine security testing. There were also inadequate measures in place to identify and purge historic data. The ICO considered this to be a serious contravention of Principle 7 of the Data Protection Act 1998.
The Commissioner acknowledged the steps Carphone Warehouse took to fix some of the problems and to protect those affected. She also acknowledgedthat to date there has been no evidence that the data has resulted in identity theft or fraud.
Ms Denham said: “The real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder. The law says it is the company’s responsibility to protect customer and employee personal information. Outsiders should not be getting to such systems in the first place. Having an effective layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in. There will always be attempts to breach organisations’ systems and cyber-attacks are becoming more frequent as adversaries become more determined. But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees.”
Background
The ICO has the power to impose a fine on a data controller of up to £500,000. The ICO fined TalkTalk £400,000 in October 2016 after security failings that allowed a cyber attacker to access customer data. From May 25, as the ICO said, the law is to become more stringent, including bigger fines for failings, under the European Union-wide General Data Protection Regulation (GDPR). The UK’s 2016 vote to leave the EU does not affect the data protection reforms, coming in a Data Protection Bill.
Comments
Commenting, Aaron Higbee, CTO and co-founder of anti-phishing product company PhishMe said this case proves that cyber security requires more than plug-and-play technology. He said: “By issuing one of the largest fines for a data breach, the ICO has maintained its strong stance against companies failing to take security seriously. While, in this case, there were basic technical security measures overlooked, it goes to show how important it is to secure an organisation from multiple angles. We know no singular technology solution can guarantee data breach prevention, which reinforces why technology alone isn’t enough to defend against today’s top threats. It’s time to improve our human focused defences, alongside optimising our technology stacks, in order to stay ahead of evolving attacks and improve defence postures.
“With the right tools and training, a company’s employees should be able to identify and report potentially suspicious activity on a company’s network and can, in fact, become a strong line of defence. By encouraging employees to regularly report emails, for example, susceptibility rates to phishing emails drop significantly, while increasing speeds on incident response efforts. Too often firms look at their employees as the weakest link, however when conditioned and empowered effectively, they’re transformed into one of the enterprise’s strongest defence. After all, as was the case with Carphone Warehouse, it is often the staff that bear the brunt of breach.”
And Peter Carlisle, VP EMEA, Thales eSecurity called the fine a perfect example of the impact a data breach has on a business, even years after the attack. “In this case, with the post-breach audit identifying elements of security software being many years out of date, it acts as a reminder to organisations to run a constant health-check on their business, something that remains essential in today’s volatile cyber landscape. The introduction of the EU General Data Protection Regulation (GDPR) in less than six months’ time will come as a stern warning to those falling short of having the correct cyber defences in place, should companies fail to meet compliance.
“Once the GDPR is implemented, any organisation that puts the data of its European customers at risk will not only face eye-watering fines, such as those suffered by Carphone Warehouse, but will also be subject to crippling reputational damage. To ensure your organisation is not putting itself in a position of vulnerability, you should ensure you understand the risks to the systems where personal data is processed, stored and also shared. Wherever your data sits in your digital estate, it should be encrypted to the highest level, preparing for the possibility of a cyber-attack, and giving customers the necessary peace of mind.”
Ilia Kolochenko, CEO of web security product company High-Tech Bridge, said: “Despite seeming like a relatively large fine, the amount represents a scanty £7.50 per breached record. With the records breached holding very sensitive data, the damages suffered by the victims may be much bigger, and will likely last for the next few years as attackers are likely to continuously (re)use the compromised data. Exacerbated by the alleged “systematic failures” to implement commonly accepted standards of data protection, this fine is peanuts.”
