Carphone Warehouse fined £400,000 after cyber-attack

Information Commissioner's Office logoCarphone Warehouse has recently received one of the most substantial fines recently issued by the ICO as a result of their failure to adequately secure their systems from a breach in 2015. The security breach resulted in over 3 million customers and 1,000 employees having their personal data compromised.

The data to which the cyber attacker gained unauthorised access to included details of many customers’ names, addresses, dates of birth, phone numbers, marital status and even payment details for more than 18,000 customers.

Furthermore, some employees had their names, addresses, phone numbers and car registration numbers also accessed. This lack of security lead to serious concerns regarding the accessed data for these individuals being misused.

Entrance to Carphone Warehouse storeElizabeth Denham, The Information Commissioner said “a company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systematic failures we found related to rudimentary, commonplace measures.”

The company was found to have failed to adequately protect the personal information of both their customers and employees. There were a number of inadequacies in Carphone Warehouse’s data security which the breach exposed. The fine they received as a result was governed by the Data Protection Act 1998 and the company’s failure to comply with the same.

As of 25th May 2018, the General Data Protection Regulation (“GDPR”) will come into force and replace the Data Protection Act. The GDPR brings with it a more onerous set of responsibilities for those who are storing and/or processing the personal data of individuals; whether this be employees, clients or customers.

The GDPR also sets out greater fines to be imposed on those who breach the Regulation, with the maximum being 20 million Euros or 4% of global turnover. This is significantly more punishing upon any companies who fail to comply, with previous fines being for a maximum of £500,000 in the United Kingdom. As such, it is even more important that as of the GDPRs implementation, the new requirements are complied with.

Should you require any further support or advice on the GDPR, data protection or privacy matters or would like to arrange an appointment to see one of our Solicitors, please contact us on 01908 660966.