Business Law & Compliance
Carphone Warehouse should thank its lucky data stars that it got fined now
3 min read
12 January 2018
By handing a £400,000 data breach fine to Carphone Warehouse, the ICO has maintained its stance against companies failing to take security seriously. But imagine what the bill would have come to were GDPR already in force.
Carphone Warehouse has been fined as a result of “unauthorised access” by hackers in 2015. The breach compromised the personal data of over three million customers and 1,000 employees, and according to Elizabeth Denham, the UK’s information commissioner, such incidents will prove costly once GDPR is in force.
“The legislation will impact the UK from 25 May 2018 onwards,” she wrote. “That’s not new news. It is a fact.” That a company as established as Carphone Warehouse hadn’t “been actively assessing security systems and ensuring defence against such attacks,” was concerning, she said.
Any business, no matter what size, that processes and holds the personal data of those in the EU will have to ensure adequate measures are put in place.
“Consider whether current security procedures will protect said held data,” James Castro-Edwards, partner and head of data protection at Wedlake Bell, advised. “If the answer is no, then things need to change.
“By taking simple steps such as regular security reviews, penetration testing, software updates and patches, organisations can set in motion a process that will significantly reduce risk and avoid the penalties set out in the GDPR.”
That hackers infiltrated Carphone Warehouse through out-of-date WordPress software, shows the importance of securing business from multiple angles, Aaron Higbee, CTO and co-founder of PhishMe, added.
As of yet, there is no “singular technology solution that can guarantee data breach prevention,” he said, “which reinforces why technology alone isn’t enough to defend against today’s top threats. You also need to improve human-focused defences.”
In terms of the fines itself, experts are suggesting Carphone Warehouse should be happy the fine occurred when it did.
The sentiment was echoed by Mark Weston, head of IT, IP and commercial at Hill Dickinson, who told Real Business that “Carphone Warehouse got off ‘lightly’ by being fined £400,000″ – the ICO has established a 20 per cent discount for early fine payments.
“Under the current law, the company’s maximum fine would have been around £500,000,” he said. “But being fined four fifths of the maximum is not the only reason Carphone Warehouse got off lightly. Had the GDPR been in force, the bill could have increased to the greater of £17m or four per cent of its annual global group turnover.
“There’s less than 100 working days left before these new fine levels are implemented. Carphone Warehouse should thank its lucky data stars the breaches and fines happened when they did.”