The Information Commissioner’s Office (ICO) has hit mobile phone retailer Carphone Warehouse with a £400,000 penalty for failing to secure customers details after a main computer was compromised in a cyberattack.
The compromised details included customers’ names and addresses, phone numbers as well as historical payment card details. The personal details for some of the firm’s employees, were also accessed, the ICO said.
It is understood that over three million customer’s details were accessed.
“The incident also exposed inadequacies in the organisation’s technical security measures. Important elements of the software in use on the systems affected were out of date and the company failed to carry out routine security testing,” the ICO said, “There were also inadequate measures in place to identify and purge historic data.”
The ICO added that it considered this to be a serious contravention of Principle 7 of the Data Protection Act 1998.
The European Union’s General Data Protection Regulation (GDPR) is a new law which will apply in the UK from 25 May 2018.
The UK is introducing measures related to this and wider data protection reforms in a Data Protection Bill.
In response, Carphone Warehouse said it had “moved quickly” at the time to secure its systems and to inform the ICO and potentially affected customers.
“Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes,” it said.
Information Commissioner Elizabeth Denham said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”