The ICO has slapped Carphone Warehouse with a $400,000 fine for a data breach dating back to 2015. The ICO passed down one of its largest ever fines after hackers gained access to personal data of more than three million Carphone Warehouse customers along with around 1,000 employee details.
The Information Commissioner, Elizabeth Denham, said: "A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
"Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures."
The retailer has apologised for the data breach relating to its online division which relates to website OneStopPhoneShop.com, e2save.com and Mobiles.co.uk. It has accepted the fine and ICO’s findings. The final cost of the fine is expected to be £320,000, as the ICO offers a 20 per cent discount on penalties that are paid less than a month after being issued.
A statement from the company said: "As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes. We are very sorry for any distress or inconvenience the incident may have caused."
Lewis Henderson, VP Threat Intelligence, Glasswall Solutions believes that there are lessons to be learnt from the data breach at Carphone Warehouse. "Although Carphone Warehouse will likely bounce-back from the damage this breach has caused it financially and reputationally, we should not mine this example for lessons on how to prepare for the risks and mitigate the loss data breaches present to companies moving forwards," he said.
"Cyber criminals have moved on in leaps and bounds from how attacks were conducted on companies back in 2015, the tactics of cyberattacks have shifted vastly. Today, the most used, and most effective vector of attack is through weaponised email attachments, which leaves any network, guarded by traditional anti-virus software, vulnerable to penetration. Companies in all sectors must look for innovative and alternative solutions to prevent these types of attacks."
He added: "It isn’t just the attacks that stand to evolve and change over this time. Talk Talk were famously fined the same amount for a breach that led to the loss of 6 million customer’s data, which does not cripple or motivate companies of this size to take securing of customer data even more seriously, but this will not be for much longer.
"Once the EU GDPR regulation comes into force, businesses can be fined up to 4 per cent of their annual turnover. A £400,000 fine for Carphone Warehouse now, could have been north of £150 million after May this year should the ICO wish to push for the maximum fine. Whilst the Carphone Warehouse share prices haven’t been affected heavily this time, organisations have to consider what a net loss of 4 per cent turnover could do to their business, as more than just reputation would plummet."
Earlier this year, Dixons Carphone announced that it is having to rethink the mobile side of its business following a drop in sales during H1 of 2017. After announcing that mobile sales were down 3 per cent for the first half of the year in the UK, CEO Seb James admitted that that side of the business needed a shake up. James added that conversations with network providers were already underway to ‘unleather’ the retailer from existing contractual obligations.
“We know that the business needs some changes,” James said. “Some things have happened this year that have affected our numbers. It is not the end of the world but we need to adapt to the changing market.”
The company then appointed Andrew Harrison to the role of chairman of The Carphone Warehouse Limited as changes began to fall in to place. How – and if – this fine will impact the shake up remains to be seen.