The parent company of Currys PC World has been fined £500,000 after the tills in its shops were compromised by a cyber-attack that affected at least 14 million customers.
Britain’s data privacy watchdog has imposed one of its largest fines ever against retailer Carphone Warehouse over a massive data breach it suffered in 2015.
The data breach of Carphone Warehouse affected its online division, which operates the OneStopPhoneShop.com, e2save.com and Mobiles.co.uk websites, and resulted in unauthorized access to the personal data of 3.3 million customers and 1,000 employees.
Compromised customer data included names, addresses, phone numbers, birthdates, marital status and – for more than 18,000 customers – historical payment card data. Carphone Warehouse employees, meanwhile, saw their name, phone numbers, postcode and car registration numbers get exposed.
Following an investigation into the attack, the Information Commissioner’s Office (ICO) found systemic failures in the retailer’s management and protection of customer data.
The 2015 breach resulted from an attack that ran from July 21 to Aug. 5, when Carphone Warehouse discovered and blocked it.
ICO notes that attackers had plenty of ways to break in, including via Carphone Warehouse’s WordPress installation, which dated from 2009 and hadn’t been updated since, meaning it was six years out of date at the time of the attack.
“Although a ‘patch management standard’ was in place, it was not being followed by the relevant business area,” the ICO’s report says. “No measures were in place to check whether software updates and patches were implemented regularly in accordance with Carphone Warehouse’s policy.”
The ICO held that the company had failed to maintain adequate security measures to protect its data, resulting in the maximum level of fine being imposed.
As the incident pre-dated the introduction the General Data Protection Regulation (GDPR) in May 2018, it was dealt with under the Data Protection Act 1998, which provided for a maximum fine of £500,000.
Had the GDPR applied, the level of financial penalty could have reached up to 4% of annual turnover, or £17 million.
Last year, the ICO also fined another DSG company, Carphone Warehouse, £400,000 for similar security vulnerabilities.