For exposing 3m customers’ data
UK’s Carphone Warehouse has been slapped with a £400,000 fine by the Information Commissioner’s Office (ICO) for a series of “systemic failures” uncovered following a data breach in 2015 that compromised personal information of around 3m customers and 1,000 employees.
Compromised customer data included: Names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details.
The data watchdog said there were a “number of distinct and significant inadequacies in the security arrangements” of Carphone Warehouse, and said it was “particularly concerning that a number of the inadequacies related to basic, commonplace measures”.
The UK’s information commissioner Elizabeth Denham said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
In a statement, Carphone Warehouse also clarified: “We accept today’s decision by the ICO and have co-operated fully throughout its investigation into the illegal cyber-attack on a specific system within one of Carphone Warehouse’s UK divisions in 2015.”
“As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties.”