The Information Commissioner’s Office has imposed a £400,000 fine on mobile phone retailer Carphone Warehouse following a 2015 cyber attack. Originating from an IP address in Vietnam, the hack went on for 15 days before detection. It exposed the personal data of more than three million customers and 1,000 members of staff.
This penalty relates to a breach of the existing Data Protection Act. Like the fine imposed last year on telecoms company TalkTalk, it is close to the maximum level of £500,000 allowed under the current system. Under the new GDPR regime, which takes effect in May, both standards and possible penalties will be higher. The potential level of fines could be up to €20m (or 4% of worldwide turnover, if higher) in the most extreme cases.
Information Commissioner Elizabeth Denham highlighted Carphone Warehouse’s size and strength as a factor saying
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
Multiple inadequacies were found in Carphone Warehouse’s data security. It had failed to carry out routine security testing and used outdated software. Software patching policies were not followed and no measures were in place to check this. Vulnerability scanning and penetration testing also fell short, and antivirus technology was not installed.
The company issued an apology emphasising the steps that it has taken since the attack to improve and upgrade its systems and procedures.
Under the new GDPR regime, organisations will have to build in data security from the outset. The concept of ‘privacy by design’, explained in more detail here, is one of the measures the new law emphasises to ensure that information about individuals is properly protected.