UK: Phone retailer Carphone Warehouse fined £400,000 over data hack
10 Jan 2018

The Information Commissioner’s Office (ICO) has hit mobile phone retailer Carphone Warehouse with a £400,000 penalty for failing to secure customers details after a main computer was compromised in a cyberattack.

The compromised details included customers’ names and addresses, phone numbers as well as historical payment card details. The personal details for some of the firm’s employees, were also accessed, the ICO said.

It is understood that over three million customer’s details were accessed.

“The incident also exposed inadequacies in the organisation’s technical security measures. Important elements of the software in use on the systems affected were out of date and the company failed to carry out routine security testing,” the ICO said, “There were also inadequate measures in place to identify and purge historic data.”

The ICO added that it considered this to be a serious contravention of Principle 7 of the Data Protection Act 1998.

The European Union’s General Data Protection Regulation (GDPR) is a new law which will apply in the UK from 25 May 2018.

The UK is introducing measures related to this and wider data protection reforms in a Data Protection Bill.

In response, Carphone Warehouse said it had “moved quickly” at the time to secure its systems and to inform the ICO and potentially affected customers.

“Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes,” it said.

Information Commissioner Elizabeth Denham said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

Related topics:

How identity data is turning toxic for big companies

Data privacy and fraud risks trigger BVI firms to take special steps

2018: data leaks set to boost new law targeting offshore tax evasion

You can claim CPD minutes for reading this article, by signing up to our CPD Wallet

Must Read

Bearing witness to financial crime, across party lines

If it seems like an odd recipe for financial oversight, it’s also a surprisingly effective one: take five to ten congressional staffers, exile them to a squalid basement office with “hard-boiled” charm in the U.S. Senate’s oldest building, give them access to subpoena powers and a seemingly endless series of… Read More

Anti-money laundering analysis: UK FCA and EU blacklists update

A key element in the application of the risk-based approach (RBA) to financial crime is the identification by a firm of those countries with which its customers are closely linked and which are also adjudged to be high risk in financial crime terms. There are many lists of such high-risk… Read More