With the General Data Protection Regulation (GDPR) just around the corner, the safeguarding of personal information should be a key priority for all businesses. Here, Andrew Stellakis – certified GDPR practitioner and MD of Q2Q IT – explores the fallout from the high-profile Carphone Warehouse data breach, and the lessons that North West companies should take from it…
If there’s one lesson to be learned from the recent £400,000 fine served to Carphone Warehouse following its 2015 data breach, it’s that there are no shortcuts when it comes to data protection. And with the GDPR now just a matter of weeks away, a breach under the new legislation could have even more disastrous consequences.
Some are saying that Carphone Warehouse is lucky that the attack didn’t occur under the new regulation – so what exactly could have happened if the timing was different?
A cyber-attack on one of the retailer’s computer systems in 2015 resulted in a huge amount of data being leaked. This included the names, dates of birth, addresses, phone numbers, car registrations and marital status of more than three million customers and 1,000 employees. Plus, the attack also enabled unauthorised access to the historical payment card details for over 18,000 customers.
When it comes to protecting personal data, all companies – no matter their size – have a legal responsibility to ensure adequate security measures are in place. For smaller businesses, there is the understanding that matters such as resource limitations and a lower headcount can cause difficulty when it comes to implementing robust cyber-defences – and these are often taken into account where penalties are issued. But for bigger organisations – which have larger workforces and plentiful financial funds at their disposal – the authorities are far less forgiving.
According to Information Commissioner Elizabeth Denham, such a well-resourced business as Carphone Warehouse should have been ensuring its data security systems were robust enough to be protected against cyber-attacks. In its thorough investigation, the ICO found various shortcomings in the retailer’s data security procedures, concluding that it had failed to implement appropriate measures to protect the sensitive information.
These vulnerabilities meant that cyber-attackers were able to access one of the company’s computer systems through out-of-date WordPress software, by using valid login credentials. As well as neglecting to regularly update system software, it was revealed that the retailer had also failed to carry out routine security testing. Plus, as a result of there being no appropriate procedure in place to weed out and remove obsolete data, historic customer information – including payment details – was exposed.
Although there is no evidence to suggest that any leaked information has been used for identity theft or fraud, the Commissioner nevertheless ruled that it marked a “strikingly serious contravention” of Principle 7 in the Data Protection Act 1998. The company has therefore been issued with a penalty of £400,000 and a payment deadline of 8 February. Not a small sum by any measures, but again, it brings us back to the question of what the outcome would have been under the GDPR?
The maximum financial penalty under the new data protection legislation will be either £17 million or 4% of the company’s global annual turnover – whichever is larger. If this isn’t enough of a deterrent against lax security and inadequate data protection practices, it’s difficult to imagine what would be.
Just as data security is an ongoing procedure, GDPR compliance will require continual monitoring, evaluation and modification, to ensure all personal information is stored and processed as securely as possible. In the Carphone Warehouse report, the Commissioner stressed that organisations need to “take serious steps to protect systems, and most importantly, customers and employees” – and never will this have been more relevant than when 25 May 2018 finally arrives.