Story image

£400k fine: Is it big enough for Carphone Warehouse’s huge data breach?

11 Jan 2018

The Information Commissioner’s Office (ICO) has issued a whopping £400,000 fine to Carphone Warehouse after its data breach in 2015.

The ICO reported ‘striking’ security issues and ‘systemic failures’ led to the colossal breach of more than three million customers and a thousand employees, meaning the giant retailer breached the seventh principle of the Data Protection Act as it didn’t have appropriate technical or organisational measures in place to keep personal data secure.

Hackers broke into Carphone Warehouse’s online department to compromise data including names, addresses, phone numbers, dates of birth, marital status – and for an unfortunate 18,000, historical payment card details.

ICO deemed the breach to be disappointing as a company the size of Carphone Warehouse should have been ‘actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.’

According to the Information Commissioner Elizabeth Denham, what is concerning is that the failures they found related to rudimentary and commonplace measures.

Here are some insights from experts in the industry:

Ilia Kolochenko, CEO of web security company High-Tech Bridge

"Despite seeming like a relatively large fine, the amount represents a scanty £7.50 per breached record. With the records breached holding very sensitive data, the damages suffered by the victims may be much bigger, and will likely last for the next few years as attackers are likely to continuously (re)use the compromised data. Exacerbated by the alleged "systematic failures" to implement commonly accepted standards of data protection, this fine is peanuts.

With the impending enforcement of GDPR in May, similar negligence may cost tremendously more and lead to bankruptcy of companies who fail to ensure decent level of cybersecurity and privacy."

Thomas Fischer, Global Security Advocate at Digital Guardian

“To those affected by this incident, a £400,000 fine might be seen as ‘too little, too late’. When big companies like Carphone Warehouse stand to face such small fines compared to their annual turnover, the incentive to improve security practices just isn't there.

It’s one thing to fall foul to an advanced attack, but the ICO report makes it clear that Carphone Warehouse failed to complete essential, but fairly routine, patches for the affected WordPress site. Thankfully, the GDPR will start to be enforceable this year and so the days for data protection complacency really are numbered. Businesses like Carphone Warehouse can expect to swap a £400,000 fine for data breaches for one running into the millions.”

Nir Polak, CEO at Exabeam

"This incident highlights why it is essential for companies to understand exactly how individuals are interacting with the network and data. Had Carphone Warehouse had a means to monitor user activities, its incident response team could have spotted unusual use of valid credentials to access the affected databases.

Profiling individual users help security teams to understand exactly who is on the network; what they are doing; whether they should be doing it; and what their actions mean for an organisation’s security posture.”

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.