Following a data breach Carphone Warehouse has been fined £400,000 by the Information Commissioner’s Office (ICO).
The company suffered the data breach in 2015 and the ICO uncovered “systemic failures” and described their security arrangements as being “striking” and their basic measures as “inadequate.”
A hacker was able to access the personal data of more than three million customers, which included credit card details, names, addresses and phone numbers. 1,000 employees were also impacted by the data breach.
The £400,000 fine is one of the highest the ICO has ever issued, indicating the severity of the failings.
Those failures will sound familiar to anyone who has followed previous data breaches. Out of date software, in this case last updated in 2009, years before the attack, lax controls over login details to systems, blasé attitudes to passwords and the storing of data in places it didn’t need to be.
The breach may have occurred in 2015 but 2017 saw the WannaCry ransomware attack that was able to cripple the NHS due to its out of date software, as well as examples of careless attitudes towards cyber security and passwords amongst MPs (who were happy to discuss these attitudes openly on Twitter). Hopefully with the high profile nature of data breaches like this, organisations will start taking cyber security more seriously going forward.
Despite the high fine, Carphone Warehouse may feel they have got off lightly. In May 2018, the new set of tough data protection rules known as the General Data Protection Regulation, aka GDPR, will come into effect. This regulation covers all companies that handle data belonging to EU citizens, including those in the UK and those that break the rules will be punished with a major fine. GDPR will affect UK companies even after Brexit.
You can read more about this story below:
Carphone Warehouse has been fined £400,000 by the Information Commissioner’s Office for a series of “systemic failures” uncovered following a data breach in 2015. The ICO described the “number of distinct and significant inadequacies in the security arrangements” of Carphone Warehouse as “striking”, and said that it was ” particularly concerning that a number of the inadequacies related to basic, commonplace measures”.
How Cyber Essentials Can Help
The first step to keeping your organisation safe from potential future cyber attacks is to be certified with the Government’s Cyber Essentials scheme. Certification will protect your organisation from 80% of common cyber threats. It is also a mandatory requirement for organisations wishing to win business with the MOD, and can help your organisation prepare and defend itself against malicious cyber attacks, regardless of the sector you operate in.
You can learn more about Cyber Essentials by downloading our free Cyber Essentials Scheme Summary or by downloading a sample of the Self-Assessment Questionnaire you will be required to complete to become Cyber Essentials certified.