Cyber-security: ICO imposes record fine on Carphone Warehouse for breach of data protection law

10 January, 2018

The Information Commissioner’s Office (ICO) has handed down a record £400,000 fine to Carphone Warehouse  (equalling the fine imposed on TalkTalk, a former Carphone Warehouse subsidiary, in 2016) for cyber-security failures which allowed unauthorised access to over 3m customer records and 1,000 employee records. 

The failures

Access was obtained via a WordPress installation, and the ICO highlighted a range of cyber-security failures which contributed to the attack’s impact. In particular, in relation to the lack of adequate:

  • Software patching and measures to check whether software updates and patches were being implemented
  • Control over credentials
  • Vulnerability scanning and penetration testing
  • Web application firewalls to monitor and filter traffic to and from web applications
  • System server antivirus technology
  • Measures to detect attacks or unauthorised entry
  • Unique server root passwords for staff
  • Identification and purging of historic data
  • Understanding of the locations of personal data on IT systems and architecture
  • Security around storage of encryption keys

 

The lesson

While not all of these contributed to the attack, they all represented cyber-security failures by Carphone Warehouse. In particular, although written policies dealt with many of these issues, those policies were not put in place.

The ICO has been quite vocal in regard to data protection breaches and has made it clear that the cause and type of the breach will impact the penalties it issues. For example, in relation to the substantial breach by Uber it stated: “Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”

Carphone Warehouse might consider themselves lucky to have escaped the increased fines under GDPR, but this incident should be a stark warning to companies that cyber-security is paramount, and that policies are no use if they’re not put in practice.

For more information on data protection, please contact Elliot Fry at elliot.fry@crippspg.co.uk or on +44 (0)1732 224 034

For updates from us and the latest Tech news follow us on Twitter @CrippsTechLaw