Skip to main content

ICO Fines Carphone Warehouse £400,000 for Data Breach

The Information Commissioner’s Office (ICO) has issued one of the largest fines to Carphone Warehouse for a data breach back in 2015.

The breach, following a cyberattack allowed for hackers to gain unauthorised access into more than 3 million customers and 1000 employees personal data.

Carphone Warehouse has apologised for the distress they may have caused, accepting the findings of the ICO.

The online division of Carphone warehouse, which operated the websites and were affected by the data breach.

Data that was compromised during the cyber-attack included customer names, addresses, dates of birth, phone numbers, marital status. For 18,000 customers this data also extended to historical payment card details.

Information relating to Carphone Warehouse employees phone numbers, addresses, names and car registrations were also accessed by the hackers. Both employees and customers were informed of this at the time of the attack.

Hackers had been able to use valid login details to access the company computer system using an out – of –date WordPress software. Neither the ICO or Carphone Warehouse have found evidence of fraud or identity theft as a result of the breach.

Elizabeth Denham, The Information Commissioner stated that a large company like Carphone Warehouse, that is well established and well resources should have been active in assessing its data security systems and should have ensured they were robust enough to withstand such attacks.

Ms Denham further noted that it was concerning that the systematic failures found by the ICO related to such basic and commonplace measures.

The ICO offers a 20% discount on penalties that are paid within a month of a fine being issued. It is expected that Carphone Warehouse will pay £320,000 to the ICO.

Carphone Warehouse released the following statement on the matter: "As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues.

"Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes.

"We are very sorry for any distress or inconvenience the incident may have caused."

Gary Broadfield, Head of Cyber Crime comments:

“The latest penalties issued by the ICO are further proof that the Regulator has teeth and is prepared to use them if businesses suffer breaches. The fines levied are a consequence of Carphone Warehouse’s inadequate approach to the security of its data; the company relied on out of date systems, and lacked both security testing procedures and procedures for purging old data, increasing the likelihood and severity of any potential breach. Fortunately for Carphone Warehouse, the penalty imposed was limited in comparison to those available to the ICO when the GDPR enters into force later this year.”

For information or advice in relation to a CyberCrime matter please contact our team on 0808 168 5550 or email

Firm News

Email you enquiry:

Email your Enquiry

Please complete the form below providing a brief outline of your query, and a member of our friendly team will be in touch with you shortly.


Please provide a brief outline of your query below, and one of our specialist team members will be in touch with you shortly.

Email Cartwright King Solicitors
Call Cartwright King Solicitors

You can now make online payments to us via our secure payment facility.

Make a Payment