UK-based Carphone Warehouse has been fined £400,000 ($550,000) by British Information Commissioner’s Office in relation to a series of “systemic failures” following a nearly two year investigation after a massive data breach that occurred in 2015.
Hackers succeeded in easily bypassing Carphone Warehouse security in 2015, and gained full access to customers’ names, addresses and, in some cases, even credit card details.
The fine is equal to the UK record penalty levied against against another UK telecommunications company, TalkTalk. The fine is even more significant as TalkTalk was previously owned by the Carphone Warehouse.
Three million customers
The 2015 breach resulted in the unauthorized access to the personal data of over three million customers and 1,000 employees. Hackers also managed to steal birth dates, marital status, and for an unlucky 18,000 customers, their historical payment card data.
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,” said UK Information Commissioner Elizabeth Denham. “Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
Would you like to update now?
The hackers were able to gain access to Carphone Warehouse’s IT systems easily by exploiting out-of-date WordPress software. Thankfully, the ICO also said that there was no evidence thus far that inadequate security measures at Carphone Warehouse had resulted in cases of identity theft or fraud.
Too little, too late
In a statement, Carphone Warehouse said: “We accept today’s decision by the ICO and have co-operated fully throughout its investigation into the illegal cyber-attack on a specific system within one of Carphone Warehouse’s UK divisions in 2015.
“As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties.”