The Information Commissioner's Office (ICO) has issued a fine of £400,000 to a mobile phone retailer (Carphone Warehouse) which was described as "one of the largest fines by the ICO" and resulted from inadequacies in Carphone Warehouse's data security measures.
The subject of the cyber-attack was a specific Carphone Warehouse computer system consisting of virtual servers hosting several internal and external websites. At the time of the cyber-attack, the computer system contained large amounts of customer and employee personal data including names, addresses, and historical payment card details.
The cyber-attack was made possible through an installation of the content management system WordPress on one of the websites maintained on the computer system. The WordPress installation was out of date, suffered from various vulnerabilities and enabled the attacker to enter the computer system and access numerous databases, including those containing some or all of the personal data specified above.
Forensic investigation reports into the cyber-attack found that, while there was no single root cause of the cyber-attack, there were a number of deficiencies with technical provisions and security measures in Carphone Warehouse's computer system. The reports also found that the attacker had everything he needed to access the computer system and harvest a large amount of information quickly.
The ICO identified a breach of Principle 7 of the Data Protection Act 1998 (DPA) in that Carphone Warehouse failed to take adequate steps to protect the relevant personal data as a result of multiple inadequacies in the organisation's approach to data security and in its technical security measures. These include the following:
In considering the amount of the monetary penalty, the ICO took account of various mitigating features of the case. Carphone Warehouse took, for example, remedial actions to fix some of the problems caused by the cyber-attack. There was also no evidence that actual harm was caused by this particular cyber-attack as there was nothing to suggest that the compromised personal data was used for successful identity theft or fraud activities. In addition, the ICO accepted that valid login credentials were used to access the WordPress software (although the issue of how the attacker obtained these credentials remains uncertain).
The ICO, however, focussed on the series of inadequacies in Carphone Warehouse's data security measures and highlighted that there was no justification for the extent of such inadequacies on the part of an organisation which has the size and means to prevent them from occurring.
The ICO decision illustrates that extreme care should be taken to ensure that adequate measures are put in place for the prevention of cyber-attacks. The imposition of this fine by the ICO also reflects that large fines are a real threat under the current data protection regime which will increase significantly when the General Data Protection Regulation comes into effect in May 2018.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at February 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions
Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities...