Carphone Warehouse fined £400,000 over 2015 data breach

The successful cyberattack exposed information belonging to millions of UK customers.
Written by Charlie Osborne, Contributing Writer
Wikimedia Commons

Carphone Warehouse has been slapped with a £400,000 fine for a data breach which led to the theft of information belonging to millions of customers.

On Wednesday, the UK Information Commissioner's Office (ICO) said the fine is one of the largest issued in the data watchdog's history.

In 2015, Carphone Warehouse said that a data breach had led to the theft and exposure of sensitive, personal information belonging to up to 2.4 million customers.

However, an investigation revealed that the security incident actually allowed unauthorized access to the data of over three million customers and roughly 1,000 employees.

The names, addresses, dates of birth, marital status and historical payment card details of customers were stolen alongside the names, phone numbers, postcodes, and car registration details of staff members.

The "sophisticated cyberattack" attracted the attention of the ICO, which said, "the personal data involved would significantly affect individuals' privacy, leaving their data at risk of being misused."

According to the agency, the UK mobile device retail giant's approach to data security was inadequate and Carphone Warehouse had failed to take "adequate steps" to protect data -- a serious breach of the Data Protection Act of 1998.

The data breach occurred as the cyberattackers were able to obtain login credentials through WordPress software which was not kept up-to-date and patched against vulnerabilities.

Carphone Warehouse also failed to keep other software up-to-date and did not carry out regular security tests. The company also did not identify and purge historic data properly -- which means that the firm may have kept information on file without cause.

"A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks," said Information Commissioner Elizabeth Denham. "Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures."

See also: CoffeeMiner hijacks public Wi-Fi users' browsing sessions to mine cryptocurrency

There have been no reported cases of customer or staff information sales or abuse to date and the company has fixed "some" of the problems highlighted by the ICO.

However, with data protection regulations set to become tougher in the UK with the introduction of the General Data Protection Regulation (GDPR), which requires protection by design, Carphone Warehouse -- and every other company in the country -- will need to do better than fix "some" problems to avoid future fines.

"There will always be attempts to breach organizations' systems and cyber-attacks are becoming more frequent as adversaries become more determined," Denham added. "But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees."

10 steps to erase your digital footprint

Previous and related coverage

    Satori IoT botnet malware code given away for Christmas

    It is a Happy New Year for threat actors targeting Huawei devices, it appears.

    Adobe patches information leak vulnerability

    The bug impacts Windows, Mac, and Linux machines.

    Savage Security snapped up by Threatcare

    Savage Security was assisting Threatcare with research before the buyout.

      Editorial standards