Carphone Warehouse Fined £400K for Breach that Also Hit TalkTalk Mobile
The Information Commissioner’s Office has today hit Carphone Warehouse with a £400K fine after a 2015 hack, which resulted in a major breach of personal data for 3.3 million customers + 1,000 staff and indirectly affected the CPW hosted mobile site for UK broadband ISP TalkTalk.
According to the ICO’s report, CPW was subjected to an external cyberattack between 21st July and 5th August 2017, which originated from an IP address in Vietnam but also used more than one IP from other locations. The hacker scanned CPW’s system and identified a “considerably” out-of-date installation of the WordPress content management system, which was known to have security flaws (apparently the attackers also made use of valid login credentials for the system).
The company eventually cottoned on to the problem but by then the attacker had compromised customer data, including names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details. The records for some Carphone Warehouse employees were also accessed.
One lesser known fact is that the incident also affected TalkTalk’s mobile.talktalk.co.uk website (news), which back then was still being hosted by CPW. At the time TalkTalk acknowledged that the site had been “subject to a sophisticated and co-ordinated cyber attack, along with a number of other similar websites” and warned that “some of our mobile customers’ data may have been accessed by the criminals.”
Sadly the incident occurred just a couple of months before TalkTalk suffered its own devastating cyber-attack (here), which also resulted in a £400,000 fine from the ICO (here).
Elizabeth Denham, Information Commissioner, said:
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
The incident is said to have exposed “inadequacies in the organisation’s technical security measures“. As state earlier, important elements of the software in use on the systems affected were found to be out of date and the company failed to carry out routine security testing. The ICO added that there were also inadequate measures in place to identify and purge historic data.
The Commissioner did however acknowledge the steps that Carphone Warehouse took to fix some of the problems and to protect those affected. She also acknowledges that to date “there has been no evidence that the data has resulted in identity theft or fraud,” although in reality it’s always very difficult to link such cases back to a specific incident.
A Spokesperson for Carphone Warehouse said:
“We accept today’s decision by the ICO and have co-operated fully throughout its investigation into the illegal cyberattack on a specific system within one of Carphone Warehouse’s UK divisions in 2015.
As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties.
Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes. We are very sorry for any distress or inconvenience the incident may have caused.”
Elizabeth Denham added:
“The real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder.
The law says it is the company’s responsibility to protect customer and employee personal information.
Outsiders should not be getting to such systems in the first place. Having an effective layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in.
There will always be attempts to breach organisations’ systems and cyber-attacks are becoming more frequent as adversaries become more determined.
But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees.”
The ICO has the power to impose a monetary penalty on a data controller of up to £500,000, although so far it has tended to keep below that level even when major breaches are involved. Meanwhile the ICO has told CPW that it will reduce the fine to £320,000 but only if they pay in full by 7th February 2018.
The future introduction of new GDPR data protection rules could result in massive multi-million pound fines being levied for such breaches.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« Openreach Playing Catch-up With 2 Ethernet Minimum Service Targets
Latest UK ISP News
- FTTP (5533)
- BT (3518)
- Politics (2542)
- Openreach (2299)
- Business (2267)
- Building Digital UK (2247)
- FTTC (2045)
- Mobile Broadband (1978)
- Statistics (1790)
- 4G (1669)
- Virgin Media (1621)
- Ofcom Regulation (1466)
- Fibre Optic (1396)
- Wireless Internet (1392)
- FTTH (1382)
£400k, no doubt payed out of the “Petty Cash” tin
Some deterrent !
It’s talk talks fault I’ve been subjected to calls from an Asian call center claiming they were talk talk and yet knew all my details. What I want to know is the fine that they have paid are we the customer that’s getting compensated due to the incompetence of talk talk
Someone needs to stop ID Mobile which of course is owned by Carephone Warehouse, their service when things go wrong is unbelievably bad.
Please look at Trustpoilot for cases.
Well this makes me wonder from other news that’s come up from the talk-talk hack. In that case the data would appear to have been used and I reach this by the fact talk-talk keep on blocking team-viewer on there networks stating to protect there customers!
This however is CPW, so the mobile side and not quite the same, but one things that is interesting to me is the wording above.
ICO say’s: “there has been no evidence that the data has resulted in identity theft or fraud,”
CPW say’s: “The ICO noted that there was no evidence of any individual data having been used by third parties.”
I would just like to point out that using data in any number of ways is not the same as “identity theft or fraud!”
My point being the CPW is trying to say: “identity theft or fraud”, is the same as “data having been used by third parties”
This is putting words into the mouth of what the ICO has said and twisted the meaning to make things sound less serious than they are.
The Baroness Harding of Winscombe or Dido Harding the ex CEO of Talk Talk exited after trousering £6.8 million and causing me regular
calls from some idiot in the indian subcontinent to discuss my broadband fault ! Ofcom should have banned Talk Talk from operating broadband services in UK post hack. But as they are completely bloody useless expect similar to happen again.
The consumer always pays the price .
The ICO are certainly ramping up the pressure on companies that fail to protect customer data or persist in outlandish spamming.
Fines have increased by 58% in the past year and January was a record month for fines.
The ICO name and shame all the guilty companies on their website but they don’t categories the fines or offer any further trend analysis.
My company, The SMS Works, has trawled through all this fines data and it certainly throws up some interesting and sometimes puzzling findings.
For example, the fines for email spam are on average, just half of those for SMS spam.
You might find it intriguing reading.
https://thesmsworks.co.uk/breach-report-ico-fines-analysis-infographic