Although the fine, imposed under the current Data Protection Act, is among the highest issued by the ICO, it’s dwarfed by the potential fines available under GDPR, coming into force on 25 May 2018; these will be up to a maximum of €20 million or 4% of global turnover, whichever is higher.
So why was the penalty for Carphone Warehouse so high? And what should organisations now do to protect themselves from action under GDPR?
According to the ICO, the attack in 2015 compromised:
- Personal data relating to over 3.3 million mobile phone customers, including full name, date of birth, marital status, current and previous address, time at address, phone number and email address.
- Historic credit and debit card transaction details for almost 20,000 transactions, including card numbers and CVC.
- Personal details of around 1,000 employees, including car registration numbers and personal phone numbers.
The ICO highlighted a number of issues in their report, some of which, together with the scale of the breach, were taken into account when determining the size of the fine:
- There were deficiencies in Carphone Warehouse’s technical and organisational measures which created real risks of data breaches.
- The success of the attacks relied on the fact that a number of important systems were many years out of date and therefore suffering from known vulnerabilities.
- There were no measures in place to make sure that updates and patches were being applied.
- The attacker was able to find and use credentials in plain text (i.e. unencrypted).
- At the time of the attack, there was no Web Application Firewall in place which could have prevented the attack from being successful.
- Servers lacked antivirus software. This was contrary to Carphone Warehouse policy but, again, there were no measures in place to make sure policy was being followed.
- The same admin password was shared across several servers that made up the Carphone Warehouse system. Logon details were known to a large group of people (30 to 40).
- Some historical debit and credit card data had been retained when it should have been identified and purged. Historical transaction data was encrypted, but the encryption keys were stored in plain text.
- The attack had been ongoing for 15 days before it was detected.
The Information Commissioner, Elizabeth Denham, said:
“There will always be attempts to breach organisations’ systems and cyber-attacks are becoming more frequent as adversaries become more determined. But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees.”
Under the current Data Protection Act the maximum fine for this kind of breach is £500,000, so Carphone Warehouse have been fined 80% of the maximum. It’s the third time that a fine of this size has been issued (previous fines were for Talk Talk for a similar breach and for a company that made 99.5 million nuisance calls).
Fines under GDPR, which comes into force on 25 May, are much higher. Depending on the nature of the infringement they will be capped at €10 million or 2% of the company’s global annual turnover (whichever is the higher), or €20 million or 4% of global annual turnover. For professional firms, the threat of reputational damage may be as much a concern as anything.
What can accountancy practices do about GDPR?
If you haven’t already started planning for GDPR, it’s not too late but time is now very limited. Use the resources on this website and those published by the ICO and other government bodies to help you.
If you’re a Wolters Kluwer customer, you can also find out more about GDPR – including how our products will help you comply – in the What’s New area of the Wolters Kluwer Support website.