Carphone Warehouse Fined £400K for Breach that Also Hit TalkTalk Mobile

The Information Commissioner’s Office has today hit Carphone Warehouse with a £400K fine after a 2015 hack, which resulted in a major breach of personal data for 3.3 million customers + 1,000 staff and indirectly affected the CPW hosted mobile site for UK broadband ISP TalkTalk.

According to the ICO’s report, CPW was subjected to an external cyberattack between 21st July and 5th August 2017, which originated from an IP address in Vietnam but also used more than one IP from other locations. The hacker scanned CPW’s system and identified a “considerably” out-of-date installation of the WordPress content management system, which was known to have security flaws (apparently the attackers also made use of valid login credentials for the system).

The company eventually cottoned on to the problem but by then the attacker had compromised customer data, including names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details. The records for some Carphone Warehouse employees were also accessed.

One lesser known fact is that the incident also affected TalkTalk’s mobile.talktalk.co.uk website (news), which back then was still being hosted by CPW. At the time TalkTalk acknowledged that the site had been “subject to a sophisticated and co-ordinated cyber attack, along with a number of other similar websites” and warned that “some of our mobile customers’ data may have been accessed by the criminals.”

Sadly the incident occurred just a couple of months before TalkTalk suffered its own devastating cyber-attack (here), which also resulted in a £400,000 fine from the ICO (here).

Elizabeth Denham, Information Commissioner, said:

“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

The incident is said to have exposed “inadequacies in the organisation’s technical security measures“. As state earlier, important elements of the software in use on the systems affected were found to be out of date and the company failed to carry out routine security testing. The ICO added that there were also inadequate measures in place to identify and purge historic data.

The Commissioner did however acknowledge the steps that Carphone Warehouse took to fix some of the problems and to protect those affected. She also acknowledges that to date “there has been no evidence that the data has resulted in identity theft or fraud,” although in reality it’s always very difficult to link such cases back to a specific incident.

A Spokesperson for Carphone Warehouse said:

“We accept today’s decision by the ICO and have co-operated fully throughout its investigation into the illegal cyberattack on a specific system within one of Carphone Warehouse’s UK divisions in 2015.

As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties.

Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes. We are very sorry for any distress or inconvenience the incident may have caused.”

Elizabeth Denham added:

“The real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder.

The law says it is the company’s responsibility to protect customer and employee personal information.

Outsiders should not be getting to such systems in the first place. Having an effective layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in.

There will always be attempts to breach organisations’ systems and cyber-attacks are becoming more frequent as adversaries become more determined.

But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees.”

The ICO has the power to impose a monetary penalty on a data controller of up to £500,000, although so far it has tended to keep below that level even when major breaches are involved. Meanwhile the ICO has told CPW that it will reduce the fine to £320,000 but only if they pay in full by 7th February 2018.

The future introduction of new GDPR data protection rules could result in massive multi-million pound fines being levied for such breaches.