sb-eu logo
Story image

£400k fine: Is it big enough for Carphone Warehouse’s huge data breach?

11 Jan 2018

The Information Commissioner’s Office (ICO) has issued a whopping £400,000 fine to Carphone Warehouse after its data breach in 2015.

The ICO reported ‘striking’ security issues and ‘systemic failures’ led to the colossal breach of more than three million customers and a thousand employees, meaning the giant retailer breached the seventh principle of the Data Protection Act as it didn’t have appropriate technical or organisational measures in place to keep personal data secure.

Hackers broke into Carphone Warehouse’s online department to compromise data including names, addresses, phone numbers, dates of birth, marital status – and for an unfortunate 18,000, historical payment card details.

ICO deemed the breach to be disappointing as a company the size of Carphone Warehouse should have been ‘actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.’

According to the Information Commissioner Elizabeth Denham, what is concerning is that the failures they found related to rudimentary and commonplace measures.

Here are some insights from experts in the industry:

Ilia Kolochenko, CEO of web security company High-Tech Bridge

"Despite seeming like a relatively large fine, the amount represents a scanty £7.50 per breached record. With the records breached holding very sensitive data, the damages suffered by the victims may be much bigger, and will likely last for the next few years as attackers are likely to continuously (re)use the compromised data. Exacerbated by the alleged "systematic failures" to implement commonly accepted standards of data protection, this fine is peanuts.

With the impending enforcement of GDPR in May, similar negligence may cost tremendously more and lead to bankruptcy of companies who fail to ensure decent level of cybersecurity and privacy."

Thomas Fischer, Global Security Advocate at Digital Guardian

“To those affected by this incident, a £400,000 fine might be seen as ‘too little, too late’. When big companies like Carphone Warehouse stand to face such small fines compared to their annual turnover, the incentive to improve security practices just isn't there.

It’s one thing to fall foul to an advanced attack, but the ICO report makes it clear that Carphone Warehouse failed to complete essential, but fairly routine, patches for the affected WordPress site. Thankfully, the GDPR will start to be enforceable this year and so the days for data protection complacency really are numbered. Businesses like Carphone Warehouse can expect to swap a £400,000 fine for data breaches for one running into the millions.”

Nir Polak, CEO at Exabeam

"This incident highlights why it is essential for companies to understand exactly how individuals are interacting with the network and data. Had Carphone Warehouse had a means to monitor user activities, its incident response team could have spotted unusual use of valid credentials to access the affected databases.

Profiling individual users help security teams to understand exactly who is on the network; what they are doing; whether they should be doing it; and what their actions mean for an organisation’s security posture.”

Story image
Organisations take cloud-first approach to security, though concerns remain
"While the results of this survey show that some security professionals still have concerns, having visibility into cloud services is vital and many organisations are now taking a cloud-first approach to security.”More
Story image
BlackBerry offers comms solutions free for 60 days
BlackBerry Desktop, SecuSUITE for Government, AtHoc and Protect are all available for enterprises in need of secure communications.More
Story image
SailPoint Peer Insights Choice for identity management
SailPoint is the only vendor to receive the ‘Customers’ Choice’ distinction in the Identity Governance and Administration segment.More
Story image
Interview: RSA explains security in the epoch of IT disruption
We discussed cybersecurity in terms of how it fits into business continuity, as well as the threat landscape, and what RSA is currently doing to assist businesses that need protection.More
Story image
80% of cyber threat landscape uses COVID-19 as leverage - report
A report released recently by Proofpoint reveals the extent to which cyber attackers are capitalising on fear and paranoia surrounding the pandemic, with instances of coronavirus-themed attacks increasing every day.More
Story image
Online retailers lose millions as 1/3 of customers forget password at checkout
Recently released research has found about one in three of online purchases are abandoned at checkout because people cannot remember their password to access their account and confirm their purchase.More