The Information Commissioner's Office (ICO) has issued a fine of £400,000 to a mobile phone retailer (Carphone Warehouse) which was described as "one of the largest fines by the ICO" and resulted from inadequacies in Carphone Warehouse's data security measures.

The facts

The subject of the cyber-attack was a specific Carphone Warehouse computer system consisting of virtual servers hosting several internal and external websites. At the time of the cyber-attack, the computer system contained large amounts of customer and employee personal data including names, addresses, and historical payment card details.

The cyber-attack was made possible through an installation of the content management system WordPress on one of the websites maintained on the computer system. The WordPress installation was out of date, suffered from various vulnerabilities and enabled the attacker to enter the computer system and access numerous databases, including those containing some or all of the personal data specified above.

Forensic investigation reports into the cyber-attack found that, while there was no single root cause of the cyber-attack, there were a number of deficiencies with technical provisions and security measures in Carphone Warehouse's computer system. The reports also found that the attacker had everything he needed to access the computer system and harvest a large amount of information quickly.

The breach

The ICO identified a breach of Principle 7 of the Data Protection Act 1998 (DPA) in that Carphone Warehouse failed to take adequate steps to protect the relevant personal data as a result of multiple inadequacies in the organisation's approach to data security and in its technical security measures. These include the following:

  • There were some basic features of security which, according to the ICO, should have been in place. These included: the lack of a web application firewall for monitoring and filtering traffic to and from Carphone Warehouse's web applications; the absence of antivirus measures; and the use of WordPress software which was out of date.
  • The ICO found the vulnerability scanning and penetration testing measures that were in place at the time to be inadequate noting that no internal or external penetration testing had been conducted in the 12 months leading up to the attack.
  • Carphone Warehouse's software patching practices were inadequate and contrary to its policy as there were no measures in place to check whether software updates and patches were implemented regularly.
  • Inadequate measures to detect attacks and identify and purge historic data were in place. Although Carphone Warehouse's internal monitoring measures alerted it to the attack, this occurred 15 days after the computer system was first compromised. The ICO also considered that historic transaction data (e.g. credit card details) should not have been retained.

Monetary penalty – mitigating circumstances

In considering the amount of the monetary penalty, the ICO took account of various mitigating features of the case. Carphone Warehouse took, for example, remedial actions to fix some of the problems caused by the cyber-attack. There was also no evidence that actual harm was caused by this particular cyber-attack as there was nothing to suggest that the compromised personal data was used for successful identity theft or fraud activities. In addition, the ICO accepted that valid login credentials were used to access the WordPress software (although the issue of how the attacker obtained these credentials remains uncertain).

The ICO, however, focussed on the series of inadequacies in Carphone Warehouse's data security measures and highlighted that there was no justification for the extent of such inadequacies on the part of an organisation which has the size and means to prevent them from occurring.

The ICO decision illustrates that extreme care should be taken to ensure that adequate measures are put in place for the prevention of cyber-attacks. The imposition of this fine by the ICO also reflects that large fines are a real threat under the current data protection regime which will increase significantly when the General Data Protection Regulation comes into effect in May 2018.