Story image

£400k fine: Is it big enough for Carphone Warehouse’s huge data breach?

11 Jan 18

The Information Commissioner’s Office (ICO) has issued a whopping £400,000 fine to Carphone Warehouse after its data breach in 2015.

The ICO reported ‘striking’ security issues and ‘systemic failures’ led to the colossal breach of more than three million customers and a thousand employees, meaning the giant retailer breached the seventh principle of the Data Protection Act as it didn’t have appropriate technical or organisational measures in place to keep personal data secure.

Hackers broke into Carphone Warehouse’s online department to compromise data including names, addresses, phone numbers, dates of birth, marital status – and for an unfortunate 18,000, historical payment card details.

ICO deemed the breach to be disappointing as a company the size of Carphone Warehouse should have been ‘actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.’

According to the Information Commissioner Elizabeth Denham, what is concerning is that the failures they found related to rudimentary and commonplace measures.

Here are some insights from experts in the industry:

Ilia Kolochenko, CEO of web security company High-Tech Bridge

"Despite seeming like a relatively large fine, the amount represents a scanty £7.50 per breached record. With the records breached holding very sensitive data, the damages suffered by the victims may be much bigger, and will likely last for the next few years as attackers are likely to continuously (re)use the compromised data. Exacerbated by the alleged "systematic failures" to implement commonly accepted standards of data protection, this fine is peanuts.

With the impending enforcement of GDPR in May, similar negligence may cost tremendously more and lead to bankruptcy of companies who fail to ensure decent level of cybersecurity and privacy."

Thomas Fischer, Global Security Advocate at Digital Guardian

“To those affected by this incident, a £400,000 fine might be seen as ‘too little, too late’. When big companies like Carphone Warehouse stand to face such small fines compared to their annual turnover, the incentive to improve security practices just isn't there.

It’s one thing to fall foul to an advanced attack, but the ICO report makes it clear that Carphone Warehouse failed to complete essential, but fairly routine, patches for the affected WordPress site. Thankfully, the GDPR will start to be enforceable this year and so the days for data protection complacency really are numbered. Businesses like Carphone Warehouse can expect to swap a £400,000 fine for data breaches for one running into the millions.”

Nir Polak, CEO at Exabeam

"This incident highlights why it is essential for companies to understand exactly how individuals are interacting with the network and data. Had Carphone Warehouse had a means to monitor user activities, its incident response team could have spotted unusual use of valid credentials to access the affected databases.

Profiling individual users help security teams to understand exactly who is on the network; what they are doing; whether they should be doing it; and what their actions mean for an organisation’s security posture.”

Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Spark Lab launches free cybersecurity tool for SMBs
Spark Lab has launched a new tool that it hopes will help New Zealand’s small businesses understand their cybersecurity risks.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t.