The Information Commissioner’s Office slammed retailer with biggest-ever fine for “wide ranging and systemic” data protection problems.
Carphone Warehouse was hit with a £400,000 fine after a 2015 cyber-attack resulted in the theft of data of more than 3m customers and 1,000 employees.
The Information Commissioner’s Office (ICO) said on Wednesday that the attack compromised the records of 3,348,869 mobile phone customers, 18,231 historical credit card transactions (which included the CVC number) and the personal details of around 1,000 employees including their contact details, previous addresses and car registration numbers.
The commissioner’s report described multiple inadequacies in Carphone Warehouse’s technical and organisational measures. Its computer system was built around a complex cluster of virtual servers hosting internal and external websites, including e-commerce sites. At the time of the attack important elements of the software were years out of date, and the Wordpress web application was six years old. None of the servers had a web application firewall (WAF) or anti-virus software in place.
All the servers had the same root password giving administrator access, which was known to 30-40 members of staff. Although the historical transactions were protected by encryption, the encryption keys were stored in plain text within the application.
The commissioner noted that the number of distinct and significant inadequacies was striking - and that each of them would have constituted a contravention of Data Protection Principle 7. Cumulatively, the problems were “wide-ranging and systemic, rather than single isolated gaps in an otherwise robust package of technical and organisational measures”.
Information commissioner Elizabeth Denham rejected claims by Carphone Warehouse that sanctions relating to the use of outdated software, inadequate patching and the absence of WAF and anti-virus were “imposing unjustifiably high standards of data security”. In setting the fine, the commissioner took into account the fact that Carphone Warehouse was large and well-resourced - and should have been well placed to assess any weaknesses in its data security arrangements and take appropriate action.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures,” she said.
Serious and avoidable risks
What’s striking in this case is the sheer lack of cyber-awareness shown by the company. It was effectively the e-commerce arm for multiple websites including e2save.com and mobiles.co.uk as well as its own brand, with almost 3.5m customers. Whilst the commissioner understood that basic protection such as anti-virus may not have prevented the attack, the absence of such measures created “serious and avoidable risks to the contents of the system”.
Carphone Warehouse had claimed that the attack was “sophisticated”, but in reality the attacker used the Nikto web scanning tool which is freely available and checks for outdated web servers, application software and common configuration errors.
GDPR looms
The fine represents 80% of the maximum available under current UK data protection laws. Under the General Data Protection Regulation (GDPR), which comes into force on 25 May, the maximum fine could have been as high as 4% of annual turnover, with Carphone Warehouse facing a potential bill running into the tens of millions.
The UK government committed to GDPR in last year’s Queen’s speech, accepting that it would be a necessary condition to maintaining the UK’s ability to share data with other EU member states after the UK leaves the EU.
GDPR introduces mandatory reporting of privacy breaches within 72 hours. Currently, the UK heath sector is the only one that operates under such rules, which is why it makes up almost 35% of the 687 breaches reported to the ICO in the three months to September 2017. It seems highly likely that the number of reports will spiral after 25 May.
