Back in 215 Carphone Warehouse got hacked, exposing data from over 3 million customers and 1,000 staff members. Today the Information Commissioner's Office has saddled them with a £400,000 fine for not ensuring that data's safety.
It's one of the biggest fines the ICO has dealt out, and it's not hard to see why. The breach exposed names, addresses, date of birth, and other personal details, along with "historical" card details of 18,000 customers. While the ICO claims there's no evidence the breach had led to identity theft of fraud, it's not letting Carphone Warehouse off the hook - especially when you realise how stupid the breach was.
According to the ICO the hack was the result of intruders using valid login details to access an out of date version of WordPress. The hack and its resulting investigation also exposed serious flaws in Carphone Warehouse;s security, with out of date systems in use and evidence that it hadn't performed routine security testing. The measures used to identify and destroy historical data were also deemed inadequate.
The ICO notes that while the company took steps to fix the problems and protect people affected by the breach this still amounted to a "serious contravention" of the Data Protection Act.
Information Commissioner Elizabeth Denham said:
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”