Carphone Warehouse fined £400K for serious 2015 data breach

3 million customers were affected, with thousands of card details exposed.

BEN STANSALL via Getty Images

The Information Commissioner's Office (ICO) is back to doing what it does best today, slapping Carphone Warehouse with a £400,000 fine for a 2015 data breach that exposed the personal information of over 3 million customers and 1,000 staff. It's one of the heftiest invoices the ICO has ever written up, though TalkTalk was fined just as much for failing to protect user data from a cyberattack that same year. Carphone Warehouse suffered a comparably serious breach that affected several of the company's brands. Not only were names, addresses, dates of birth and other personal details exposed, but the "historical" card details of 18,000 customers. According to the ICO, though, "there has been no evidence that the data has resulted in identify theft or fraud."

Naturally, not having appropriate security in place is the reason for the fine, and as far as hacks go, this one sounds relatively clumsy. "Using valid login credentials, intruders were able to access the system via an out-of-date WordPress software," the ICO states. "The Commissioner acknowledges the steps Carphone Warehouse took to fix some of the problems and to protect those affected," but this "serious contravention" of the Data Protection Act has left Carphone Warehouse staring at a £400,000 bill. Even though the hack was long-forgotten until today, Information Commissioner Elizabeth Denham took the opportunity to twist the knife and wag a stern finger at the retailer.

"A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures," she said.