The UK’s data protection regulator – the ICO – has fined Carphone Warehouse, one of the largest independent telecommunications retailers in Europe, £400,000 for a serious data security breach. The fine follows an investigation by the ICO into a cyber-attack on Carphone Warehouse’s computer systems in 2015. It is one of the largest monetary penalties levied by the ICO to date - just under the maximum monetary penalty under current legislation. In the Information Commissioner’s written decision, she has set out clear guidelines for effective data security programs. Organizations should take note – or else be prepared to face significant penalties, both under the current UK regime and, with effect from May 2018, under the General Data Protection Regulation (“GDPR”).
In an ICO press release, the Information Commissioner voiced concerns that Carphone Warehouse, which is a company that should be “at the top of its game”, contained “systemic failures, related to rudimentary, commonplace measures”, which amounted to a “strikingly” serious contravention of the UK Data Protection Act (the “UK Act”).
Both the steep fine given to Carphone Warehouse and the comments made by the ICO in the penalty notice serve as a cautionary tale for businesses to ensure they have in place adequate data security measures. In determining the size of the fine, the ICO took into account “the importance of deterring future contraventions of this kind, both by Carphone Warehouse and others”. Organizations should take their data security responsibilities seriously and regularly revisit their practices (not just their policies), particularly if they hold large amounts of personal information.
What does the current legislation require?
The UK Act requires data controllers to ensure that “appropriate technical and organisational measures [are] taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
However, the legislation does not go into detail about the practical steps this requirement specifically entails. Rather, it provides that:
“Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to: (a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and (b) the nature of the data to be protected.”
Any processors and sub-processors which carry out processing on behalf of the data controller will also have to comply with these measures via data processing agreements with the controller.
From 25 May 2018, the UK Act will be replaced by the GDPR. However, in practice, Article 32 of the GDPR requires similar obligations with respect to data security as are currently required under the UK Act.
Lessons learned from Carphone Warehouse
At the time of the attack, Carphone Warehouse’s systems comprised “a complex cluster of virtual servers hosting several internal and external websites” (the “System”) and contained records for over 3.3 million customers, historic transaction details (including payment card details) and over 1,000 employee records. The hacker was able to enter the System via an outdated Wordpress installation, using valid login credentials and subsequently accessed local databases containing large amounts of personal information. While the ICO’s Monetary Penalty Notice acknowledges that there was no single root cause of attack, the ICO stated that significant deficiencies in technical and organizational measures increased the likelihood of a breach and acted as “an essential causal role”.
In particular, the following deficiencies were highlighted by the Information Commissioner to have contravened the data security obligations under the UK Act:
- Important elements of the software in use on the System were out of date, making it an easy target for the hacker. Further, Carphone Warehouse failed to ensure that software updates and patches were implemented regularly. Although a “Patch Management Standard” was in place, it was not followed by the business, and there was no mechanism in place to check policy implementation.
Tip: Make sure that your organization has a practical mechanism (and not just a written policy) for regularly reviewing the software used within its systems. If any software is out of date, it should be updated, patched or replaced – this may involve shopping around for alternative software providers.
- There were no rigorous controls over who had Wordpress credentials and no measures to detect unauthorized use of such credentials. In addition, Carphone Warehouse had implemented the same root password for the operating system on the System’s servers, which was known by at least 30 members of staff.
Tip: Keep your organisation’s credentials secret and only share with a small list of personnel; this list should be periodically managed and reviewed and the credentials should be regularly changed.
- Carphone Warehouse had failed to implement adequate vulnerability scanning and penetration testing measures and there was a delayed response from the internal monitoring measures.Tip: Again, carry out routine testing procedures and don’t rely solely on your policies. Regularly stress-test your systems against different types of attacks (both internal and external), and provide training to relevant staff so they know how to react if a real attack occurs.
- The System was not protected by any web application firewalls for monitoring and filtering traffic to and from Carphone Warehouse’s web applications. No antivirus technology had been installed on the System.
Tip: These are “widely accepted security standards”, which your organization will be expected to follow, and they could help delay or deter a potential attack.
- There was an unnecessary retention of data relating to historic transactions (including full credit card details), which suggested an insufficient understanding of Carphone Warehouse’s IT systems architecture and the location of retained personal information.
Tip: The longer you keep personal information, the more information you leave vulnerable to a potential attack. Regularly review your retention procedures and audit what personal information you keep. If you don’t have a reason to store personal information, delete it.
- Encryption keys had been stored in plaintext, which was insufficient for protecting data.
Tip: Don’t leave any keys, passwords, or credentials unprotected and don’t store the keys with the information being protected.
The ICO emphasized that even though any of the inadequacies alone would have constituted a separate contravention of the UK Act, the long list of missteps signalled that the problems were wide-ranging and endemic. Moreover, a lot of Carphone Warehouse’s inadequacies were related to fundamental, basic measures, rather than single isolated issues.
With the GDPR coming quickly into view, now is the perfect time for organizations to re-evaluate their technical and security mechanisms and take stock of the ICO’s warnings in the Monetary Penalty Notice:
- Ignorance is no defence. Know what personal information you’re storing and adequately protect it. If any of the personal information is unnecessary for your stated purposes, delete it.
- Make sure you get the basics right. Regularly check that your system installs software updates and patches and that you don’t have any important passwords, log-in details, and credentials in unsecured locations. If the software you use is no longer supported or updated, this means you’re no longer protected. If your service providers are not providing adequate updates, switch service providers.
- Stress-test your systems. A data security policy is not enough by itself. Carry out regular vulnerability scanning and penetration testing to ensure that you’re prepared for a cyber-attack and that your organization and, more practically, your personnel are able to respond quickly should the inevitable happen.