Story image

£400k fine: Is it big enough for Carphone Warehouse’s huge data breach?

11 Jan 18

The Information Commissioner’s Office (ICO) has issued a whopping £400,000 fine to Carphone Warehouse after its data breach in 2015.

The ICO reported ‘striking’ security issues and ‘systemic failures’ led to the colossal breach of more than three million customers and a thousand employees, meaning the giant retailer breached the seventh principle of the Data Protection Act as it didn’t have appropriate technical or organisational measures in place to keep personal data secure.

Hackers broke into Carphone Warehouse’s online department to compromise data including names, addresses, phone numbers, dates of birth, marital status – and for an unfortunate 18,000, historical payment card details.

ICO deemed the breach to be disappointing as a company the size of Carphone Warehouse should have been ‘actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.’

According to the Information Commissioner Elizabeth Denham, what is concerning is that the failures they found related to rudimentary and commonplace measures.

Here are some insights from experts in the industry:

Ilia Kolochenko, CEO of web security company High-Tech Bridge

"Despite seeming like a relatively large fine, the amount represents a scanty £7.50 per breached record. With the records breached holding very sensitive data, the damages suffered by the victims may be much bigger, and will likely last for the next few years as attackers are likely to continuously (re)use the compromised data. Exacerbated by the alleged "systematic failures" to implement commonly accepted standards of data protection, this fine is peanuts.

With the impending enforcement of GDPR in May, similar negligence may cost tremendously more and lead to bankruptcy of companies who fail to ensure decent level of cybersecurity and privacy."

Thomas Fischer, Global Security Advocate at Digital Guardian

“To those affected by this incident, a £400,000 fine might be seen as ‘too little, too late’. When big companies like Carphone Warehouse stand to face such small fines compared to their annual turnover, the incentive to improve security practices just isn't there.

It’s one thing to fall foul to an advanced attack, but the ICO report makes it clear that Carphone Warehouse failed to complete essential, but fairly routine, patches for the affected WordPress site. Thankfully, the GDPR will start to be enforceable this year and so the days for data protection complacency really are numbered. Businesses like Carphone Warehouse can expect to swap a £400,000 fine for data breaches for one running into the millions.”

Nir Polak, CEO at Exabeam

"This incident highlights why it is essential for companies to understand exactly how individuals are interacting with the network and data. Had Carphone Warehouse had a means to monitor user activities, its incident response team could have spotted unusual use of valid credentials to access the affected databases.

Profiling individual users help security teams to understand exactly who is on the network; what they are doing; whether they should be doing it; and what their actions mean for an organisation’s security posture.”