NEWS11 January 2018
UK – Carphone Warehouse has been fined £400,000 – one of the highest issued by the Information Commissioner’s Office (ICO) – after data security failures put customer and employee data at risk.
The company’s computer systems were compromised after a cyber-attack in 2015 and its failure to secure the system allowed unauthorised access to the personal data of more than three million customers and 1,000 employees.
The compromised customer data included: names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details.
The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving their data at risk of being misused.
Using valid login credentials, intruders were able to access the system via an out-of-date WordPress software.
Information Commissioner Elizabeth Denham said: “A company as large, well-resourced and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
The Commissioner acknowledged that Carphone Warehouse took steps to fix some of the problems and to protect those affected. To date there has been no evidence that the data has resulted in identity theft or fraud.