10th January 2018
The ICO has fined Carphone Warehouse £400k after a 2015 hack gained unauthorised access to personal data of 3.3m customers and 1k employees, including names, email, addresses, phone numbers, dates of birth, marital status. 18k customers also had their payment card details compromised, suggesting PCI DSS issues, and employees’ car registration numbers were accessed.
This is one of the ICO’s largest fines to date, and equals Talk Talk’s fine in 2016.
The hackers, using an IP address in Vietnam, had valid administrative login credentials. Security controls were found to be lacking on virtual servers and WordPress (2009), including “seriously inadequate patching”, weak firewalls, encryption, access control, password management, PAM, IDS, anti-malware, asset management and data leakage controls, and a failure to remove old data.
There is still no certainty around what this fine would have been under the EU General Data Protection Regulations (GDPR) from 25th May 2018. It has been suggested that future fines will be proportionate, but the maximum fine will increase from £500k to the greater of £17m or 4% of global turnover.
The ICO reported that there was no evidence that the data has been used for identity theft or fraud.
Read the full ICO fines Carphone Warehouse report here.
Data GRC provides practitioner services to help organisations mitigate their data protection and information security risks, and to develop appropriate management, physical, technical and operational controls.
We work with a number of industry standards including Cyber Essentials, ISO 27001, ISO 27002, NIST and PCI DSS, to help clients achieve recognised levels of control.
Click this link to discuss data protection and information security services.
Click this link for more Data Privacy, GDPR and Information Security guides.