Mobile retail firm Carphone Warehouse must pay a massive fine after security failings in the company saw a hack compromise the data of approximately three million customers and 1,000 employees.
Vast quantities of data compromised
It is one of the largest fines ever issued by the Information Commissioner’s Office, and the data compromised in 2015 was extensive.
Names, addresses, dates of birth, marital status and phone numbers were all leaked. 18,000 of the customers also had their historical payment card details compromised.
Information commissioner Elizabeth Denham admonished the company, saying that a business as “large, well-resourced and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks”.
She described the ICO’s findings as concerning, with systemic failures apparent relating to rudimentary and commonplace security measures.
Hackers were able to use valid login credentials to access the company’s system via an out-of-date version of WordPress.
The ICO found the company had many out-of-date software elements and routine security tests were not carried out.
The identification and purging of historic data was also found to be at an inadequate level, considered by the ICO as a contravention of Principle Seven of the UK Data Protection Act of 1998.
A spokesperson for the company said Carphone Warehouse had cooperated in full with the ICO, and had moved swiftly to put additional security measures in place, informing the ICO and potentially affected customers and staff.
The spokesperson also said since the attack the company had been working extensively with cybersecurity firms to “improve and upgrade our security systems and processes”.
GDPR will see stricter punishments
With the GDPR incoming, fines from EU data protection regulators are set to dramatically increase, so companies will be wary of potential fallout if they have any underlying data issues.
Data protection by design is also a key element of the GDPR, and strong IT governance and information security measures must be tested in order to comply.
Denham concluded: “The real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder.
“The law says it is the company’s responsibility to protect customer and employee personal information.
“Outsiders should not be getting to such systems in the first place. Having an effective layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in.”
The post Carphone Warehouse hit with £400,000 fine over data breach appeared first on Silicon Republic.