Just a few days into 2018 and already the UK’s Information Commissioner’s Office (ICO) is back to work issuing fines for companies who have been found lacking in proper measures to secure the data of their customers.
The first for the year is Carphone Warehouse, who in 2015 experienced a massive data breach potentially affecting around 3 million of its customers. Pending an ICO investigation of the incident, the company took necessary measures to contact those affected.
Just last week, an outcome was reached and the ICO concluded that Carphone Warehouse had failed to update its software and carry out routine testing which had led to vulnerable systems – culminating in a £400,000 fine to the mobile retailing giant. Information Commissioner, Elizabeth Denham criticized the company in a statement, noting: “A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.”
The ICO investigation found that an out of date version of WordPress was mostly to blame for the compromise, which affected not only Carphone Warehouse customers, but staff as well. Names, addresses, phone numbers, dates of birth, even marital status and historical payment card details were some of the details subject to breach by the cyber attackers.
A Carphone Warehouse spokesperson said that since the attack in 2015, the company “moved quickly at the time to secure our systems, to put in place additional security measures… and worked extensively with cyber security experts to improve and upgrade our security systems and processes.”
Carphone Warehouse can chalk this incident up to a hard lesson; and in some sense, can also be grateful the incident didn’t occur after May 2018 when the EU’s General Data Protection Regulation becomes enforceable. Such an incident could have potentially cost the company, owned by Dixons Carphone, anywhere from 10-20 million Euros or 2-4% of their global annual turnover, whichever is greater.
When it comes to securing personal data – it’s best practice to protect the information at the source by encrypting it using an encryption gateway. In this way, if all else fails and software is not kept up to date or a loophole is found in the system by attacker to exploit, the data itself will be safe and unreadable to hackers. With this mentality around security, hopefully it can save many more companies from learning this lesson the hard way.