The UK’s data protection regulator – the ICO – has fined Carphone Warehouse, one of the largest independent telecommunications retailers in Europe, £400,000 for a serious data security breach. The fine follows an investigation by the ICO into a cyber-attack on Carphone Warehouse’s computer systems in 2015. It is one of the largest monetary penalties levied by the ICO to date - just under the maximum monetary penalty under current legislation. In the Information Commissioner’s written decision, she has set out clear guidelines for effective data security programs. Organizations should take note – or else be prepared to face significant penalties, both under the current UK regime and, with effect from May 2018, under the General Data Protection Regulation (“GDPR”).
In an ICO press release, the Information Commissioner voiced concerns that Carphone Warehouse, which is a company that should be “at the top of its game”, contained “systemic failures, related to rudimentary, commonplace measures”, which amounted to a “strikingly” serious contravention of the UK Data Protection Act (the “UK Act”).
Both the steep fine given to Carphone Warehouse and the comments made by the ICO in the penalty notice serve as a cautionary tale for businesses to ensure they have in place adequate data security measures. In determining the size of the fine, the ICO took into account “the importance of deterring future contraventions of this kind, both by Carphone Warehouse and others”. Organizations should take their data security responsibilities seriously and regularly revisit their practices (not just their policies), particularly if they hold large amounts of personal information.
What does the current legislation require?
The UK Act requires data controllers to ensure that “appropriate technical and organisational measures [are] taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
However, the legislation does not go into detail about the practical steps this requirement specifically entails. Rather, it provides that:
“Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to: (a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and (b) the nature of the data to be protected.”
Any processors and sub-processors which carry out processing on behalf of the data controller will also have to comply with these measures via data processing agreements with the controller.
From 25 May 2018, the UK Act will be replaced by the GDPR. However, in practice, Article 32 of the GDPR requires similar obligations with respect to data security as are currently required under the UK Act.
Lessons learned from Carphone Warehouse
At the time of the attack, Carphone Warehouse’s systems comprised “a complex cluster of virtual servers hosting several internal and external websites” (the “System”) and contained records for over 3.3 million customers, historic transaction details (including payment card details) and over 1,000 employee records. The hacker was able to enter the System via an outdated Wordpress installation, using valid login credentials and subsequently accessed local databases containing large amounts of personal information. While the ICO’s Monetary Penalty Notice acknowledges that there was no single root cause of attack, the ICO stated that significant deficiencies in technical and organizational measures increased the likelihood of a breach and acted as “an essential causal role”.
In particular, the following deficiencies were highlighted by the Information Commissioner to have contravened the data security obligations under the UK Act:
The ICO emphasized that even though any of the inadequacies alone would have constituted a separate contravention of the UK Act, the long list of missteps signalled that the problems were wide-ranging and endemic. Moreover, a lot of Carphone Warehouse’s inadequacies were related to fundamental, basic measures, rather than single isolated issues.
With the GDPR coming quickly into view, now is the perfect time for organizations to re-evaluate their technical and security mechanisms and take stock of the ICO’s warnings in the Monetary Penalty Notice: