Carphone Warehouse fined £400,000 for putting millions of customers’ data at risk

For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails

Sign up to our free breaking news emails

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

Carphone Warehouse has been slapped with a £400,000 fine after one of the company’s computer systems was compromised as a result of a cyber-attack in 2015, putting millions of people’s data at risk.

The Information Commissioner’s Office on Wednesday said that the company’s failure to secure the system allowed unauthorised access to the personal data of over three million customers and 1,000 employees.

That data included names, addresses, phone numbers, dates of birth, marital statuses and – for more than 18,000 customers – historical payment card details.

“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,” said Information Commissioner Elizabeth Denham.

“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

The ICO said that intruders had theoretically been able to access Carphone Warehouse’s system via out-of-date WordPress software, but it also said that so far there has been no evidence that the inadequate security measures had actually resulted in cases of identity theft or fraud.

Nonetheless, Ms Denham said that customers and employees had been victimised by having their data “open to abuse by the malicious actions of the intruder”.

“Companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees,” she said.

May this year will see the introduction of a set of stringent data protection rules known as the General Data Protection Regulation, or GDPR.

Many have described GDPR as the most significant development in UK data protection law since the 1990s. Under it, companies will have to be more transparent in the way that they collect data, be more explicit about notifying the public if there’s a hack or a data breach, and will have to appoint a dedicated data protection officer.

The regulation covers all companies that handle any form of data belonging to EU citizens, and institutions which fail to comply will face a fine that may be tied to revenue.