What can retailers learn from the Carphone Warehouse breach?

Managing Director

Fav thing about the office

Good banter

As a child I wanted to be a ... when I grew up

Plumber/Electrician

Guilty Pleasure(s)

Strictly come dancing

Favourite Holiday

Crete

If I had a superpower it would be...

Mind Reading

Describe yourself in three words or less

Methodical, Energetic, Reliable

An interesting fact about me

Started “Work” life as an opera singer

Likes

Horse riding, fillet steak and a good curry

Favourite Band

…into Classical Music

Karaoke Jam

Desperado- The Eagles

What I do at Q2Q:

My role is to provide the overall direction and “eye on the compass” as to where we, as a team, are heading.

I’m still very much focused on the customer and will often get involved in customer solution discussions. As a techie at heart, I’m regularly seeking to understand industry developments and directional changes that may affect our customers, so we and our customers can remain on the front foot.

Background and Achievements

I started out in an I.T technical department of what was then British Rail, following which I joined a large construction company to re-organise their I.T infrastructure.

I then spent a couple of years as a business systems analyst at P&O Nedlloyd designing, developing and implementing systems within their Bulk and Tank Carrier companies.

In 1999 I was appointed as I.T Manager of SockShop and subsequently as of Head of I.T. at the Tulchan Group, comprising then of 300 stores. Due to a Year 2000 compliance issue, we were required to seek an alternative system, which we were able to more cost effectively write ourselves. This product subsequently became known as RAWHIDE and we later sold this product into a number of other businesses. At the time it was quite cutting edge as all the warehouse function was undertaken using handheld, wireless scanners, rather than the batch scanners that were dominant at the time.

In 2003 The Tulchan Group was acquired by Harris Watson. We were then asked to take responsibility for the I.T. of Viyella Ladies wear and in 2004 the demands of two MD’s and two FD’s (Tulchan Group + Viyella), resulted in the sensible decision to break out of the group and Q2Q was born. This then enabled us to also get involved with a number of other group companies (Harris Watson owned companies) as well as other non-group parties.  At one stage we were managing the I.T for almost 500 stores across a number of businesses.

Today Q2Q retains some of the group customers that we acquired along the way, as well as a substantial number of new and diverse customers in almost all industries including accounting, business development organisations, legal marketing, medical, retail and wholesale.

Hobbies and Interests

Horse riding, running (Jogging), motorbikes, reading any of the Detective Rebus stories.

 

If there’s one lesson to be learned from the recent £400,000 fine served to Carphone Warehouse following its 2015 data breach, it’s that there are no shortcuts when it comes to data protection. And with the General Data Protection Regulation (GDPR) now just a matter of weeks away, a breach under the new legislation could have even more disastrous consequences.

Some are saying that Carphone Warehouse is lucky that the attack didn’t occur under the new regulation – so what exactly could have happened if the timing was different? We take a look at the facts and explore the ‘what ifs’…

The breach

A cyber-attack on one of the retailer’s computer systems in 2015 resulted in a huge amount of data being leaked. The personal information that was breached included the names, dates of birth, addresses, phone numbers, car registrations and marital status of more than three million customers and 1,000 employees. Plus, the attack also enabled unauthorised access to the historical payment card details for over 18,000 customers.

So, it was by no means an insignificant breach – the ICO ruled that the leaked data was at high risk of being misused, which could significantly impact the privacy of the individuals affected. But where exactly did the retailer go wrong?

The failures

When it comes to protecting personal data, all companies – no matter their size – have a legal responsibility to ensure adequate security measures are in place. For smaller businesses, there is the understanding that matters such as resource limitations and a lower headcount can cause difficulty when it comes to implementing robust cyber-defences – and these are often taken into account where penalties are issued. But for bigger organisations – which have larger workforces and plentiful financial funds at their disposal – the authorities are far less forgiving.

According to Information Commissioner Elizabeth Denham, such a well-resourced business as Carphone Warehouse should have been ensuring its data security systems were robust enough to be protected against cyber-attacks. The company’s oversights were apparently linked to “rudimentary, commonplace measures” – in short, the retailer should have known better. In its thorough investigation, the ICO found various shortcomings in the retailer’s data security procedures, concluding that it had failed to implement appropriate measures to protect the sensitive information.

The impact

These vulnerabilities meant that cyber-attackers were able to access one of the company’s computer systems through out-of-date WordPress software, by using valid login credentials. As well as neglecting to regularly update system software, it was revealed that the retailer had also failed to carry out routine security testing. Plus, as a result of there being no appropriate procedure in place to weed out and remove obsolete data, historic customer information – including payment details – was exposed.

The volume and extent of the compromised data meant that the impact of the breach was significant, and the ICO ruled that the multiple failings on the part of Carphone Warehouse made this an “extremely serious” case.

Although there is no evidence to suggest that any leaked information has been used for identity theft or fraud, the Commissioner nevertheless ruled that it marked a “strikingly serious contravention” of Principle 7 in the Data Protection Act 1998. The company has therefore been issued with a penalty of £400,000 and a payment deadline of 8 February. Not a small sum by any measures, but again, it brings us back to the question of what the outcome would have been under the GDPR?

The lessons

The maximum financial penalty under the new data protection legislation will be either £17 million or 4% of the company’s global annual turnover – whichever is larger. If this isn’t enough of a deterrent against lax security and inadequate data protection practices, it’s difficult to imagine what would be.

When the GDPR comes into effect, organisations will be required to employ a ‘Privacy by Design’ approach to new and existing data processes – covering everything from hardware and software to guidelines and policies, to the procedures themselves. Plus, written documentation of the security measures taken will need to be saved – and kept up-to-date – in order to prove to the ICO that adequate efforts have been taken to protect personal data.

Just as data security is an ongoing procedure, GDPR compliance will require continual monitoring, evaluation and modification, to ensure all personal information is stored and processed as securely as possible. In the Carphone Warehouse report, the Commissioner stressed that organisations need to “take serious steps to protect systems, and most importantly, customers and employees” – and never will this have been more relevant than when 25 May 2018 finally arrives.

 

If you need help with your company's compliance journey, get in touch to find out about the GDPR services we offer – from running free awareness workshops with your team to acting as your Virtual Data Protection Officer.

 

What can retailers learn from the Carphone Warehouse breach?