Cyber-attack results in £400,000 fine for Carphone Warehouse

The Information Commissioner’s Office (ICO) has fined the Carphone Warehouse for major inadequacies in its data security, which resulted in a cyber-attack that lasted for over a week. More than 18,000 customers were compromised in the breach, which included a leak of names, addresses, phone numbers and historic payment details.

How did it happen?

It appears that the cyber-attack was made possible due to flaws in the WordPress software used by the company, which was six years old at the time and contained vulnerabilities that made harvesting large amounts of information easy. Although Carphone Warehouse had a ‘Patch Management Standard,’ it was not executed properly and there were no checks to ensure a patching policy was being implemented or maintained. On top of this, Carphone Warehouse failed to install any antivirus software on any of their servers.

What the ISO had to say

The company claimed that the WordPress software was accessed using valid login credentials, and whilst the ICO accepted this it stated that it did not absolve them of responsibility. This was because other major failings by the Carphone Warehouse, including the fact that staff were only alerted to the attack 15 days after it began, and that the company was unaware of the historic credit card data that was held on the system. Whilst it’s still not clear how the hacker, believed to be based in Vietnam, managed to gain the correct login details, the company had failed to protect itself and not followed correct procedure after the attack.

The attack was made more severe due to the inadequate encryption on the system, which meant that once inside the software the attacker could access further credentials, create files of the information and then export this out of the system. Whilst the exact content of these files cannot be determined, the ICO accepted it as ‘prudent and realistic’ that these files contained personal data.

What the reports found

Specialist companies compiled reports after the breach, which found that Carphone Warehouse’s system had a number of problems with technical provisions and security measures. On top of this, the company failed to scan and detect system vulnerabilities. This was made clear when it was found that on the first day of the cyber-attack, the system did not detect any vulnerability during its scan. The company had also failed to conduct an internal or external vulnerability test in the previous 12 months.  

A particularly significant failing was the company’s lack of Web Application Firewall (WAF), which the ICO deemed to be a “notable departure from widely accepted security standards at the time of the incident”.

What does this mean?

The case of Carphone Warehouse proves that it isn’t often one failing that allows a cyber-attack, and that multiple failings compound negative effects – such as making things easier for an attacker to access once in the system. It demonstrates that data protection should be considered from all possible angles and every measure put in place to protect your data subjects’ privacy. Carphone Warehouse was lucky this time – with the implementation of GDPR cases like this will result in much bigger fines for the company, so it’s essential to cover all bases now.

For the latest updates in the cybersecurity world, as well as advice on what to do in the event of a cyber-attack, take a look at our dedicated data privacy blog.