Carphone Warehouse slapped with maximum £400k fine by ICO over 2015 hack

Carphone Warhouse used 'out-of date software and failed to carry out routine security testing', says ICO

Carphone Warehouse, the mobile phone retailer that spawned TalkTalk, has been slapped with a maximum £400,000 fine for the 2015 hack that exposed the personal data of more than three million customers and 1,000 employees.

The fine, by the Information Commissioner's Office (ICO), is the maximum that can be levied - until the General Data Protection Regulation (GDPR) comes into force in May.

The company was accused by the ICO of failing to adequately secure its systems, enabling intruders to easily access the data.

While Carphone Warehouse at the time claimed that it takes "the security of customer data extremely seriously", the high-profile data breach saw hackers make off with highly personal customer data, including names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, payment card details.

The records for some Carphone Warehouse employees, including name, phone numbers, postcode, and car registration details were also accessed.

The ICO has been probing the incident for more than two years, and this week concluded that Carphone Warehouse had "failed to take adequate steps to protect the personal information".

Intruders were able to access the company's systems via out-of-date WordPress software using valid log-in details, which the ICO said "exposed" inadequacies in the organisation's technical security measures".

For example, elements of the software in use on the systems affected were out of date and the company failed to carry out routine security testing.

There were also inadequate measures in place to identify and purge historic data, which the ICO claims to be "a serious contravention" of Principle 7 of the Data Protection Act 1998.

Information Commissioner Elizabeth Denham said: "A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

"Carphone Warehouse should be at the top of its game when it comes to cyber-security and it is concerning that the systemic failures we found related to rudimentary, commonplace measures."

However, Denham also acknowledges that while Carphone Warehouse's lax security measures were to blame for the data breach, no evidence has emerged that the data loss has resulted in identity theft or fraud.

Carphone Warehouse, which tells us that it'll only have to hand over £320,000 due to early payment, said in a statement sent to V3: "We accept today's decision by the ICO and have co-operated fully throughout its investigation into the illegal cyberattack on a specific system within one of Carphone Warehouse's UK divisions in 2015.

"As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties.

"Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes.

"We are very sorry for any distress or inconvenience the incident may have caused."