Sara Verbruggen

Freelance journalist

Author Bio ▼

Experienced freelance B2B journalist and editor, specialising in fields of renewable energy, energy storage, smart grids and nanotech.
January 11, 2018

Sign up to free email newsletters


Fire safety guides from FIREX International


Carphone Warehouse fine – one of the biggest-ever dished out by ICO – could be 79 times higher under GDPR

Carphone Warehouse has been fined £400,000 by the Information Commissioner’s Office (ICO) for a data breach that occurred in 2015.

Hackers had accessed the personal data – including names, addresses, phone numbers and dates of birth – of more than three million customers and 1,000 employees. The attack managed to reveal the historical payment details of more than 18,000 customers.

The fine is one of the largest ever issued by the ICO.

Nevertheless, the smartphone retailer will be grateful that the breach occurred prior to enforcement of the GDPR, which comes into force in May of this year.

According to analysis by NCC Group, an identical fine levied on TalkTalk in 2016 for a similar breach would be £59m under the new regime.


But the increased penalties are warranted, according to Ilia Kolochenko, CEO of cybersecurity specialist High-Tech Bridge. “Despite seeming like a relatively large fine, the amount represents a scanty £7.50 per breached record,” he said of the Carphone Warehouse penalty.

“With the records breached holding very sensitive data, the damages suffered by the victims may be much bigger, and will likely last for the next few years as attackers are likely to continuously (re)use the compromised data. Exacerbated by the alleged ‘systematic failures’ to implement commonly accepted standards of data protection, this fine is peanuts.”

“Similar negligence under the GDPR could potentially lead to the bankruptcy for offending companies”

Similar negligence under the GDPR could potentially lead to the bankruptcy for offending companies, Kolochenko believes.

NCC’s security consultants undertook analysis of all ICO fines from 2015-2016. Using the current maximum penalty as a guide, the analysis created a model to determine what tier the fine would fall into and what a maximum post-GDPR fine would likely be.

The fines levied in 2016 would on average be 79 times higher under the incoming regime.

The Information Commissioner, Elizabeth Denham, said: “Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

A statement from the company said: “As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues.”

The data breach affected Carphone Warehouse’s online division, which operated various websites, including

Carphone Warehouse stated that it accepts the ICO’s findings and apologised for any distress it “may have caused”.

Following the cyber-attack, Carphone Warehouse claims it has worked with cyber security experts to improve and upgrade its security systems and processes.

Free Download: Security sector insights in the age of terror and the cyber-attack

This round-up of articles, which distills several presentations from IFSEC 2017 to their key tips and insights, focuses on counter-terror and cybersecurity – especially regarding physical security
systems – as well as drones, access control trends and CCTV procurement.

Click here to download now

Related Topics

Leave a Reply

Be the First to Comment!

Notify of