Lessons from the Carphone Warehouse cyber-attack

Mobile phone retailer Carphone Warehouse was hit with a £400,000 fine in January, after hackers got access to the personal data of more than three million customers and 1,000 employees in 2015.

The penalty is one of the largest ever issued by the Information Commissioner’s Office (ICO), matching TalkTalk's £400,000 fine for a cyber breach in October 2016, but how can retailers learn from this and tackle poor security before disaster strikes? 

The attack
The data breach which struck Carphone Warehouse in 2015 targeted a specific Dixons Carphone computer system which hosted internal and external websites, including e-commerce sites.

Hackers used valid login details to access the system, foiling an out of date WordPress software in order to compromise customer records which included names, addresses, phone numbers, dates of birth, marital status, as well as the historical payment card details for more than 18,000 customers. The attackers also accessed the personal data of approximately one thousand Carphone Warehouse employees, such as names, phone numbers, postcodes, and car registrations.

The action
As soon as Carphone Warehouse became aware of the attack, it took steps to secure its computer and data storage systems as per protocol and notified the ICO, along with those potentially affected by the breach. However, the attack highlighted a number of deficiencies in Carphone Warehouse’s security measures, which according to the ICO “played an essential causal role” in the incident. 

As a result, the ICO found that Carphone Warehouse had seriously contravened the Seventh Principle in the Data Protection Act 1998 (DPA) which states that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

The aftermath
Information Commissioner, Elizabeth Denham, said: "A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.”

"Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures."

The findings from the ICO should have provided a wake-up call for retailers, as well as other businesses, to ensure that comprehensive processes were in place in order to maximise data security.

Data regulation
The Seventh Principle of the DPA, which was judged to have been contravened by Carphone Warehouse, is reflected in Article 32 of the General Data Protection Regulation (GDPR) which is more detailed than under the DPA. This, coupled with the increased fines possible under the GDPR – which can reach up to €20 million or four percent of annual global turnover – means that security should always be a high priority both on the board agenda and in all GDPR implementation programmes, with adequate planning, budget and resourcing to match.

When it comes to compliance with the security principle under the DPA or going forwards under the GDPR, there is no one size fits all approach. Although some sectors may have generally accepted security standards (for example, compliance with ISO 27001), organisations must assess their own security measures on a case-by-case basis, taking into account the nature of the data processing and the harm that might result if that data is accidentally or deliberately compromised.

In each case, there should be regard to technological developments and the costs of introducing new security measures.

Learning from this example
It is important to remember that retailers can help to protect their data by remembering to keep all software systems regularly updated and maintained. This means frequently implementing patches and other remedial steps, installing up-to-date anti-virus software and firewalls to monitor and filter traffic from web apps, and putting in a place attack detection measures and procedures, as well as processes to test the vulnerability and penetration of systems.

Data should be properly encrypted and data records regularly cleansed, with a frequent review of access controls and a limit on the sharing of passwords. 

In addition to ensuring that appropriate technical measures are taken, businesses should take the appropriate organisational measures to achieve compliance with the security principle. These include identifying individuals or teams who will be responsible for data security and training staff to ensure that they are aware of the importance of data security and of your security and use policies. A data breach procedure should also be implemented and this should set out a recovery plan.

In the coming years, it is anticipated that cyber-attacks will increase in number and, unfortunately, some will get through businesses’ security systems. By following the ICO’s guidance, putting the right processes in place and having the ability to demonstrate such protection measures, retailers can not only bolster their security but also reduce the likelihood of a regulatory fine in the event of a breach.