Avatar photo

Freelance journalist

Author Bio ▼

Experienced freelance B2B journalist and editor, specialising in fields of renewable energy, energy storage, smart grids and nanotech.
January 11, 2018

Sign up to free email newsletters


The Video Surveillance Report 2022


Carphone Warehouse fine – one of the biggest-ever dished out by ICO – could be 79 times higher under GDPR

Carphone Warehouse has been fined £400,000 by the Information Commissioner’s Office (ICO) for a data breach that occurred in 2015.

Hackers had accessed the personal data – including names, addresses, phone numbers and dates of birth – of more than three million customers and 1,000 employees. The attack managed to reveal the historical payment details of more than 18,000 customers.

The fine is one of the largest ever issued by the ICO.

Nevertheless, the smartphone retailer will be grateful that the breach occurred prior to enforcement of the GDPR, which comes into force in May of this year.

According to analysis by NCC Group, an identical fine levied on TalkTalk in 2016 for a similar breach would be £59m under the new regime.


But the increased penalties are warranted, according to Ilia Kolochenko, CEO of cybersecurity specialist High-Tech Bridge. “Despite seeming like a relatively large fine, the amount represents a scanty £7.50 per breached record,” he said of the Carphone Warehouse penalty.

“With the records breached holding very sensitive data, the damages suffered by the victims may be much bigger, and will likely last for the next few years as attackers are likely to continuously (re)use the compromised data. Exacerbated by the alleged ‘systematic failures’ to implement commonly accepted standards of data protection, this fine is peanuts.”

“Similar negligence under the GDPR could potentially lead to the bankruptcy for offending companies”

Similar negligence under the GDPR could potentially lead to the bankruptcy for offending companies, Kolochenko believes.

NCC’s security consultants undertook analysis of all ICO fines from 2015-2016. Using the current maximum penalty as a guide, the analysis created a model to determine what tier the fine would fall into and what a maximum post-GDPR fine would likely be.

The fines levied in 2016 would on average be 79 times higher under the incoming regime.

The Information Commissioner, Elizabeth Denham, said: “Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

A statement from the company said: “As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues.”

The data breach affected Carphone Warehouse’s online division, which operated various websites, including OneStopPhoneShop.com.

Carphone Warehouse stated that it accepts the ICO’s findings and apologised for any distress it “may have caused”.

Following the cyber-attack, Carphone Warehouse claims it has worked with cyber security experts to improve and upgrade its security systems and processes.

Listen to the IFSEC Global podcast!

Each month, the IFSEC Global Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Related Topics

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
Henry Cazalet
Henry Cazalet
March 7, 2018 9:54 am

The ICO are certainly ramping up the pressure on companies that fail to protect customer data or persist in outlandish spamming. Fines have increased by 58% in the past year and January was a record month for fines. The ICO name and shame all the guilty companies on their website but they don’t categories the fines or offer any further trend analysis. My company, The SMS Works, has trawled through all this fines data and it certainly throws up some interesting and sometimes puzzling findings. For example, the fines for email spam are on average, just half of those for… Read more »