Hackers had accessed the personal data – including names, addresses, phone numbers and dates of birth – of more than three million customers and 1,000 employees. The attack managed to reveal the historical payment details of more than 18,000 customers.
The fine is one of the largest ever issued by the ICO.
Nevertheless, the smartphone retailer will be grateful that the breach occurred prior to enforcement of the GDPR, which comes into force in May of this year.
According to analysis by NCC Group, an identical fine levied on TalkTalk in 2016 for a similar breach would be £59m under the new regime.
“Peanuts”
But the increased penalties are warranted, according to Ilia Kolochenko, CEO of cybersecurity specialist High-Tech Bridge. “Despite seeming like a relatively large fine, the amount represents a scanty £7.50 per breached record,” he said of the Carphone Warehouse penalty.
“With the records breached holding very sensitive data, the damages suffered by the victims may be much bigger, and will likely last for the next few years as attackers are likely to continuously (re)use the compromised data. Exacerbated by the alleged ‘systematic failures’ to implement commonly accepted standards of data protection, this fine is peanuts.”
“Similar negligence under the GDPR could potentially lead to the bankruptcy for offending companies”
Similar negligence under the GDPR could potentially lead to the bankruptcy for offending companies, Kolochenko believes.
NCC’s security consultants undertook analysis of all ICO fines from 2015-2016. Using the current maximum penalty as a guide, the analysis created a model to determine what tier the fine would fall into and what a maximum post-GDPR fine would likely be.
The fines levied in 2016 would on average be 79 times higher under the incoming regime.
The Information Commissioner, Elizabeth Denham, said: “Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
A statement from the company said: “As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues.”
The data breach affected Carphone Warehouse’s online division, which operated various websites, including OneStopPhoneShop.com.
Carphone Warehouse stated that it accepts the ICO’s findings and apologised for any distress it “may have caused”.
Following the cyber-attack, Carphone Warehouse claims it has worked with cyber security experts to improve and upgrade its security systems and processes.
Listen to the IFSEC Insider podcast!
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
