Outside construction of the RPC building.

ICO fines Carphone Warehouse £400,000 following systemic data failures

Published on 11 April 2018

Need an example of how not to protect your customers' and employees' data? Then, read on!

The background

In 2015, Carphone Warehouse was the victim of a cyber-attack, giving intruders access to personal data of more than three million customers and 1,000 employees as well as historic transaction details spanning over 18,000 payment cards for the period March 2010 - April 2011.  The card data comprised card holder names and addresses, card expiry dates and card numbers.

The security breach concerned a specific Carphone Warehouse computer system, which was overseen by a specific division of Dixons Carphone plc.

From 21 July to 5 August 2015, the system was subject to an external cyber-attack originating from an IP address in Vietnam.  The attacker made a scan of the system server using Nikto, a “relatively commonplace” penetration testing tool for testing security issues such as outdated software and other vulnerabilities.  One of the vulnerable points was an installation of the content management system WordPress on one of the websites maintained on the system.  Via the WordPress installation, the attacker entered the system and uploaded “web shells” designed to provide the attacker with, among other things, basic file management and database functionality over the contents of the system.

The decision

On the evidence, the ICO found that Carphone Warehouse had committed a serious breach of the seventh data protection principle (Principle 7) in that:

  • important elements of the software in use on the system were many years out of date;
  • Carphone Warehouse’s approach to software patching was “seriously inadequate”.  Although a “Patch Management Standard” was in place, it was not being followed by the relevant business area;
  • Carphone Warehouse needed to have, but did not have in place rigorous controls over who had WordPress login credentials;
  • inadequate vulnerability scanning and penetration testing measures were in place at the time.  It appeared that no routine testing procedures were in place and no internal or external penetration testing had been conducted in the 12 months leading up to the attack;
  • at the time of the attack, Carphone Warehouse had no Web Application Firewall (WAF) for monitoring and filtering traffic to and from its web applications;
  • contrary to Carphone Warehouse’s internal policy none of the servers that made up the system had antivirus technology installed;
  • it was some 15 days after the system was first compromised that the attack was noticed, suggesting inadequate technical measures were in place for detecting attacks;
  • the operating system on the servers making up the system all had the same root password which was known and used by some 30-40 members of staff;
  • there was no good reason for the retention of large volumes of historic transactions data.  Inadequate measures were in place to identify and purge such data;
  • while the historical transactions data was encrypted, encryption keys were stored in plain text within the application’s source code.  In terms of data security, plain text storage for encryption keys was inadequate, particularly for data relating to individuals' financial transactions. 

The ICO was satisfied that the contravention warranted a monetary penalty under s 55A of the Data Protection Act 1998, and imposed a fine of £400,000.  This was on the basis that, cumulatively, this “multi-faceted contravention” was extremely serious. 

Why is this important?

This decision provides a clear example of the types of systemic failures and deficiencies that the ICO will consider to be a breach of data protection principles under the Data Protection Act, and inevitably, under the GDPR also.  In that sense, it provides a ready-made checklist of possible contraventions which organisations, or rather their tech teams, need to protect against. 

Any practical tips?

£400,000 is a big fine under the ICO's current fining powers (which currently go up to a maximum of £500,000).  Come 25 May, she will be able to pull the lever on fines of up to €20m or 4% of global turnover.  Against that backdrop, tech directors (whatever their sector) should be thinking seriously about what they should be doing now to make their systems more robust. 

Lawyers can't implement technical measures themselves, but they can inform and warn.  So consider sharing this report on technical deficiencies with your tech team.  The sooner that everyone in the organisation, especially the tech specialists, get a grip on the seriousness of the new GDPR world order, the safer your business will be.