Carphone Warehouse has been fined £400,000 by the Information Commissioner’s Office (ICO), after a data breach allowed unauthorised access to the personal data of over three million customers and 1,000 employees.
The compromised data included names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details. The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving their data at risk of being misused.
Using valid login credentials, intruders were able to access the system via an out-of-date version of WordPress, the world’s most popular blogging software.
The ICO said the incident exposed inadequacies in the organisation’s technical security measures, including failure to carry out routine security testing and inadequate measures to identify and remove historic data.
Elizabeth Denham, information commissioner at ICO, said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
The commissioner acknowledged the steps Carphone Warehouse took to fix some of the problems and to protect those affected and stressed that to date “there has been no evidence that the data has resulted in identity theft or fraud”.
Denham added: “The real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder.The law says it is the company’s responsibility to protect customer and employee personal information.
“Outsiders should not be getting to such systems in the first place. Having an effective layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in.
“There will always be attempts to breach organisations’ systems and cyber-attacks are becoming more frequent as adversaries become more determined. But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees.”