The Information Commissioner’s Office (ICO) announced yesterday that it had fined Carphone Warehouse £400 000 over a cyber-attack in 2015. The company’s failure to secure the system allowed unauthorised access to the personal data of over three million customers and 1,000 employees, including: names, addresses, phone numbers, dates of birth, marital status and payment card details. The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving their data at risk of being misused; although it was acknowledged that there was no evidence that this had happened.
Using valid login credentials, intruders were able to access a Carphone Warehouse system via out-of-date WordPress software. The ICO identified multiple inadequacies in Carphone Warehouse’s approach to data security and determined that the company had failed to take adequate steps to protect the personal information. In particular their investigation highlighted that:
- Important elements of the software in use on the systems affected were out of date;
- The company failed to carry out routine security testing; and
- There were inadequate measures in place to identify and purge historic data.
In summary, the Information Commissioner said:
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
With just over four months to go before GDPR comes into force this is another reminder of the need to ensure information security management systems are fit for purpose. Follow the link to see how we can help.