Carphone Warehouse has been fined £400,000 by the Information Commissioner’s Office (ICO) for inadequacies in its data security measures that came to light following a cyber-attack.
The ICO, whose role is to uphold information rights in the public interest, found that the data of more than 18,000 customers had been compromised in the breach. This included personal information such as names, addresses, phone numbers and historic payment details.
The attack, which originated from Vietnam and lasted for over a week, was made possible because of vulnerabilities in WordPress software. The software, which was six years old at the time, had various vulnerabilities making it easier to attack and harvest a large amount of information.
For example, although Carphone Warehouse had a ‘Patch Management Standard’, serious inadequacies in its execution meant that there were no checks to ensure that the company’s patching policy was being implemented.
The company also failed to implement their policies by not installing antivirus software on any of the servers that make up their System.
While the Commissioner accepted that valid login credentials were used to access the WordPress software, due to other failings by Carphone Warehouse, this did not absolve them of responsibility. For instance, staff were only alerted to the attack 15 days after it started, and were not even aware that historic credit card data was held on the system. It remains uncertain how the attacker managed to obtain the valid login credentials.
Once inside the software, inadequate encryption enabled the attacker to access further credentials, create files of information and then export this out of the system. The contents of these files cannot be determined but it is accepted as ‘prudent and realistic’ that these files contained personal data.
Following the breach, specialist companies compiled number of reports. It was found that although there was not one single cause, there were a number of problems with technical provisions and security measures in Carphone Warehouse’s system.
There were other failings with regards to scanning and detecting system vulnerabilities. On the first day of the attack, the system was scanned but did not detect any vulnerability. It is also understood that Carphone Warehouse had not conducted an internal or external vulnerability test in the previous 12 months. A particularly significant failing was the company’s lack of Web Application Firewall (WAF). This was said to be a “notable departure from widely accepted security standards at the time of the incident”.
With the GDPR coming into force later this year, bringing with it the potential for much higher penalties on data controllers and processors, it is vital that businesses have systems in place to adhere to their legal obligations.