If there’s one lesson to be learned from the recent £400,000 fine served to Carphone Warehouse following its 2015 data breach, it’s that there are no shortcuts when it comes to data protection. And with the General Data Protection Regulation (GDPR) now just a matter of weeks away, a breach under the new legislation could have even more disastrous consequences.
Some are saying that Carphone Warehouse is lucky that the attack didn’t occur under the new regulation – so what exactly could have happened if the timing was different? We take a look at the facts and explore the ‘what ifs’…
A cyber-attack on one of the retailer’s computer systems in 2015 resulted in a huge amount of data being leaked. The personal information that was breached included the names, dates of birth, addresses, phone numbers, car registrations and marital status of more than three million customers and 1,000 employees. Plus, the attack also enabled unauthorised access to the historical payment card details for over 18,000 customers.
So, it was by no means an insignificant breach – the ICO ruled that the leaked data was at high risk of being misused, which could significantly impact the privacy of the individuals affected. But where exactly did the retailer go wrong?
When it comes to protecting personal data, all companies – no matter their size – have a legal responsibility to ensure adequate security measures are in place. For smaller businesses, there is the understanding that matters such as resource limitations and a lower headcount can cause difficulty when it comes to implementing robust cyber-defences – and these are often taken into account where penalties are issued. But for bigger organisations – which have larger workforces and plentiful financial funds at their disposal – the authorities are far less forgiving.
According to Information Commissioner Elizabeth Denham, such a well-resourced business as Carphone Warehouse should have been ensuring its data security systems were robust enough to be protected against cyber-attacks. The company’s oversights were apparently linked to “rudimentary, commonplace measures” – in short, the retailer should have known better. In its thorough investigation, the ICO found various shortcomings in the retailer’s data security procedures, concluding that it had failed to implement appropriate measures to protect the sensitive information.
These vulnerabilities meant that cyber-attackers were able to access one of the company’s computer systems through out-of-date WordPress software, by using valid login credentials. As well as neglecting to regularly update system software, it was revealed that the retailer had also failed to carry out routine security testing. Plus, as a result of there being no appropriate procedure in place to weed out and remove obsolete data, historic customer information – including payment details – was exposed.
The volume and extent of the compromised data meant that the impact of the breach was significant, and the ICO ruled that the multiple failings on the part of Carphone Warehouse made this an “extremely serious” case.
Although there is no evidence to suggest that any leaked information has been used for identity theft or fraud, the Commissioner nevertheless ruled that it marked a “strikingly serious contravention” of Principle 7 in the Data Protection Act 1998. The company has therefore been issued with a penalty of £400,000 and a payment deadline of 8 February. Not a small sum by any measures, but again, it brings us back to the question of what the outcome would have been under the GDPR?
The maximum financial penalty under the new data protection legislation will be either £17 million or 4% of the company’s global annual turnover – whichever is larger. If this isn’t enough of a deterrent against lax security and inadequate data protection practices, it’s difficult to imagine what would be.
When the GDPR comes into effect, organisations will be required to employ a ‘Privacy by Design’ approach to new and existing data processes – covering everything from hardware and software to guidelines and policies, to the procedures themselves. Plus, written documentation of the security measures taken will need to be saved – and kept up-to-date – in order to prove to the ICO that adequate efforts have been taken to protect personal data.
Just as data security is an ongoing procedure, GDPR compliance will require continual monitoring, evaluation and modification, to ensure all personal information is stored and processed as securely as possible. In the Carphone Warehouse report, the Commissioner stressed that organisations need to “take serious steps to protect systems, and most importantly, customers and employees” – and never will this have been more relevant than when 25 May 2018 finally arrives.
If you need help with your company’s compliance journey, get in touch to find out about the GDPR services we offer – from running free awareness workshops with your team to acting as your Virtual Data Protection Officer.