Subscribe For Free
FOLLOW US

Carphone slapped with £400,000 fine by ICO for data breach

Manny Pham
January 11, 2018

More than three million customers and 1,000 employees had personal data accessed by hackers

Carphone Warehouse has been fined by the Information COmmisioner’s Office (ICO) for a data breach in 2015 placing customer data in jeopardy.

More than three million customers and 1,000 employees had personal data accessed by hackers. Data such as: names, addresses, car registrations (employees), phone numbers, dates of birth, marital status and payment card details.

The data hack affected Carphone Warehouse’s online division, which operated the OneStopPhoneShop.com, e2save.com and Mobiles.co.uk websites.

The culprits used correct log in details to access Carphone’s computer systems which were running out-of-date WordPress software.

However, there has been no evidence of fraud or identity theft from the attack.

The fine is expected to be cut to £320,000 as a 20 per cent discount on penalties is applied if the fine is paid in full, less than a month after being issued.

ICO information commissioner Elizabeth Denham said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

Carphone issued the following statement: “We accept today’s decision by the ICO and have co-operated fully throughout its investigation into the illegal cyberattack on a specific system within one of Carphone Warehouse’s UK divisions in 2015.

“As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties.

“Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes.

“We are very sorry for any distress or inconvenience the incident may have caused.”

Share this article