Carphone Warehouse has been reprimanded with a six-figure fine from the UK’s information watchdog after admitting it was hacked in 2015.
The Information Commissioner’s Office (ICO) revealed how data belonging to 3 million customers and 1,000 employees was put at risk.
Cybercriminals were able to access millions of personal data records by using valid login details on websites using out-of-date WordPress software.
Using these logins, criminals accessed millions of personal data records including full names, addresses, dates of birth, phone numbers and martial status.
18,000 customers also saw their historical debit or credit card details leaked.
Personal details about Carphone Warehouse employees including their car registration numbers, home postcodes and phone numbers were also accessed illegally.
Carphone Warehouse is one of the UK’s biggest telecoms retailers. It operates 1,100 high street stores and owns the budget SIM Only brand ID Mobile.
The ICO acknowledged that so far there has been no evidence the hack has resulted in identity theft or fraud, and that Carphone Warehouse took steps to fix some of the problems and to protect those affected.
Carphone Warehouse apologised and agreed an early payment on the fine, reducing it from £400,000 to £320,000.
A spokesperson for the ICO said they were shocked at the simple vulnerablilities on Carphone Warehouse’s systems that allowed such a basic hack to take place.
Of serious concern was the fact that Carphone Warehouse had not set up routine testing on their systems to identify threats, nor had they kept important elements of their software properly patched and updated.
The ICO said it had identified “multiple inadequacies” in Carphone Warehouse’s approach to data security and ruled the company had failed to protect personal information.
A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
The real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder.
Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.- Elizabeth Denham: Information Commissioner, ICO
The ICO acknowledged that cyberattacks on corporate targets were becoming more frequent and determined, but said companies had a legal right to protect valuable employee and customer data.
Commenting, a spokesperson from Carphone Warehouse told SIMOnlyDeals.co.uk: “We accept the decision by the ICO and have co-operated fully throughout its investigation.
“Since the attack in 2015 we have worked extensively with cybersecurity experts to improve and upgrade our security systems and processes.
“We are very sorry for any distress or inconvenience the incident may have caused.”
From 25 May 2018, the law on personal data will get much more stringent as the General Data Protection Regulation (GDPR) comes into effect.
One of the requirements is that companies consider data protection at every stage of their processes, from the software that powers their business to the policies they decide to enact.