ICO Fines Carphone Warehouse £400,000 for Data Breach

Legally reviewed by: Laura Smith In: Corporate & Financial Crime

The Information Commissioner’s Office (ICO) has issued one of the largest fines to Carphone Warehouse for a data breach back in 2015.

The breach, following a cyberattack allowed for hackers to gain unauthorised access into more than 3 million customers and 1000 employees personal data.

Carphone Warehouse has apologised for the distress they may have caused, accepting the findings of the ICO.

The online division of Carphone warehouse, which operated the websites e2save.com and OneStopPhoneShop.com were affected by the data breach.

Data that was compromised during the cyber-attack included customer names, addresses, dates of birth, phone numbers, marital status. For 18,000 customers this data also extended to historical payment card details.

Information relating to Carphone Warehouse employees phone numbers, addresses, names and car registrations were also accessed by the hackers. Both employees and customers were informed of this at the time of the attack.

Hackers had been able to use valid login details to access the company computer system using an out – of –date WordPress software. Neither the ICO or Carphone Warehouse have found evidence of fraud or identity theft as a result of the breach.

Elizabeth Denham, The Information Commissioner stated that a large company like Carphone Warehouse, that is well established and well resources should have been active in assessing its data security systems and should have ensured they were robust enough to withstand such attacks.

Ms Denham further noted that it was concerning that the systematic failures found by the ICO related to such basic and commonplace measures.

The ICO offers a 20% discount on penalties that are paid within a month of a fine being issued. It is expected that Carphone Warehouse will pay £320,000 to the ICO.

Carphone Warehouse released the following statement on the matter: “As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues.

“Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes.

“We are very sorry for any distress or inconvenience the incident may have caused.”

Gary Broadfield, Head of Cyber Crime comments:

“The latest penalties issued by the ICO are further proof that the Regulator has teeth and is prepared to use them if businesses suffer breaches. The fines levied are a consequence of Carphone Warehouse’s inadequate approach to the security of its data; the company relied on out of date systems, and lacked both security testing procedures and procedures for purging old data, increasing the likelihood and severity of any potential breach. Fortunately for Carphone Warehouse, the penalty imposed was limited in comparison to those available to the ICO when the GDPR enters into force later this year.”

For information or advice in relation to a Cyber Crime matter please contact our team either by phone, or emailing us using the contact form below.


Legal Disclaimer.

All advice is correct at time of publication.