The Information Commissioner’s Office has fined Carphone Warehouse £400,000 for suffering a cyber-attack in 2015 that compromised personal details of over three million customers and 1,000 employees.
The fine issued by the Information Commissioner’s Office to Carphone Warehouse is similar to the one issued to TalkTalk in 2016 after the telecom company suffered a massive data breach following a cyber-attack in October 2015.
The Information Commissioner’s Office has, by issuing the large fine to Carphone Warehouse, once again showcased its intent to crack down on firms that hold large amounts of customer data and yet fail to secure their systems from cyber threats.
Back in August 2015, Carphone Warehouse announced that it had suffered a major cyber-attack that led to the loss of personal details of millions of customers and over 1,000 employees. The ICO later confirmed that the cyber-attack compromised personal data of over three million customers, including names, addresses, phone numbers, dates of birth and marital status.
Hackers were also able to access historical payment card details of more than 18,000 Carphone Warehouse customers. The affected division of Carphone Warehouse operated the websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk and provided services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers.
Earlier today, the Information Commissioner’s Office announced that it has issued a fine of £400,000 to Carphone Warehouse for its lax approach to data security, thereby placing customer and employee data at risk.
‘A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,’ said Information Commissioner Elizabeth Denham.
‘Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures,’ she added.
‘The fine is an important statement by the Information Commissioner. It shows how highly companies should value the sanctity of their data in an age of massive breaches, especially in the case of a large trusted brand with a big customer database.
‘It is also a shot across the bow of such companies in the run-up to GDPR. Whilst it is a relatively large headline figure, it is a fraction of what is possible under the new legislation which comes into force on May 25,’ said Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies.
Following large-scale data breaches suffered by the likes of Carphone Warehouse and TalkTalk, a survey of UK consumers by the Institute of Customer Service revealed widespread public support for erring firms to be fined extensively by authorities.
While 86% of those polled wanted the government to review data protection laws, 77% wanted firms to be more proactive in protecting data from cyber attacks. Only 13% were confident that their private information was safe in the hands of organisations they had shared it with, and only 15% believed companies would do everything in their power to prevent this information from being lost or stolen. 28% of those polled also said that they would avoid companies that had experienced a breach.
While announcing the fine issued to Carphone Warehouse, the ICO also warned businesses and data handlers about the upcoming Data Protection Law which will empower the watchdog to issue fines of either 4% of a firm’s annual worldwide turnover or €20 million, whichever will be higher.
As such, the total costs incurred by firms because of their failure to defend against cyber-attacks may go up to £122bn in 2022 from a mere £1.4bn in 2015. The message behind the new regulations is for large firms to either pull up their socks or face impending financial ruin and loss of face.
‘From 25 May this year, the law is set to get more stringent as the General Data Protection Regulation (GDPR) comes into effect. Data protection by design is one of the requirements and must be in every part of information processing, from the hardware and software to the procedures, guidelines, standards, and policies that an organisation has or should have.
‘Companies and public bodies should ensure strong IT governance and information security measures are in place, tested and refreshed to comply with the provisions of the law,’ it said.
In order to ensure that firms will fewer resources to invest on cyber security are able to comply with the upcoming data protection law, the ICO launched a new helpline last year exclusively for small and medium businesses.
‘Small organisations want to be ready when the new law comes into force in May 2018, but they often struggle to know where to start. They may have less time and money to invest in getting it right and are less likely to have compliance teams, data protection officers or legal experts to advise them what to do.
‘Our new phone service and all the other resources already on our website plus even more advice and guidance yet to come will help steer small businesses through the new law,’ said Denham.