Sara Verbruggen

Freelance journalist

Author Bio ▼

Experienced freelance B2B journalist and editor, specialising in fields of renewable energy, energy storage, smart grids and nanotech.
January 11, 2018

Sign up to free email newsletters

Download

Exclusive download: The smart door locks report 2018

CYBERSECURITY BREACH

Carphone Warehouse fine – one of the biggest-ever dished out by ICO – could be 79 times higher under GDPR

Carphone Warehouse has been fined £400,000 by the Information Commissioner’s Office (ICO) for a data breach that occurred in 2015.

Hackers had accessed the personal data – including names, addresses, phone numbers and dates of birth – of more than three million customers and 1,000 employees. The attack managed to reveal the historical payment details of more than 18,000 customers.

The fine is one of the largest ever issued by the ICO.

Nevertheless, the smartphone retailer will be grateful that the breach occurred prior to enforcement of the GDPR, which comes into force in May of this year.

According to analysis by NCC Group, an identical fine levied on TalkTalk in 2016 for a similar breach would be £59m under the new regime.

“Peanuts”

But the increased penalties are warranted, according to Ilia Kolochenko, CEO of cybersecurity specialist High-Tech Bridge. “Despite seeming like a relatively large fine, the amount represents a scanty £7.50 per breached record,” he said of the Carphone Warehouse penalty.

“With the records breached holding very sensitive data, the damages suffered by the victims may be much bigger, and will likely last for the next few years as attackers are likely to continuously (re)use the compromised data. Exacerbated by the alleged ‘systematic failures’ to implement commonly accepted standards of data protection, this fine is peanuts.”

“Similar negligence under the GDPR could potentially lead to the bankruptcy for offending companies”

Similar negligence under the GDPR could potentially lead to the bankruptcy for offending companies, Kolochenko believes.

NCC’s security consultants undertook analysis of all ICO fines from 2015-2016. Using the current maximum penalty as a guide, the analysis created a model to determine what tier the fine would fall into and what a maximum post-GDPR fine would likely be.

The fines levied in 2016 would on average be 79 times higher under the incoming regime.

The Information Commissioner, Elizabeth Denham, said: “Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

A statement from the company said: “As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues.”

The data breach affected Carphone Warehouse’s online division, which operated various websites, including OneStopPhoneShop.com.

Carphone Warehouse stated that it accepts the ICO’s findings and apologised for any distress it “may have caused”.

Following the cyber-attack, Carphone Warehouse claims it has worked with cyber security experts to improve and upgrade its security systems and processes.

Free Download: Cybersecurity and physical security systems: how to implement best practices

If you are involved in the operation or maintenance of physical security systems, this resource from Vanderbilt will help you choose the right equipment for staying diligent. It provides a five step process for strengthening the resilience of those systems against cyber-attack, as well as explaining what cyber-attacks mean in an interconnected world.

Discover the five step process now by clicking here.

Related Topics

Leave a Reply

1 Comment on "Carphone Warehouse fine – one of the biggest-ever dished out by ICO – could be 79 times higher under GDPR"

avatar
  Subscribe  
newest oldest most voted
Notify of
Henry Cazalet
Guest
The ICO are certainly ramping up the pressure on companies that fail to protect customer data or persist in outlandish spamming. Fines have increased by 58% in the past year and January was a record month for fines. The ICO name and shame all the guilty companies on their website but they don’t categories the fines or offer any further trend analysis. My company, The SMS Works, has trawled through all this fines data and it certainly throws up some interesting and sometimes puzzling findings. For example, the fines for email spam are on average, just half of those for… Read more »
Topics: