In 2015, Carphone Warehouse were victims of a Cyber Attack when the data they held was exposed, however, the real victims were the 1,000 Carphone Warehouse employees and over 3 million of their customers. The compromised customer data included: names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details.

Carphone Warehouse state on their website that one of their core values is to provide ‘unbeatable customer service’. However, the ICO considered that the personal data left exposed from the Cyber Attack could significantly affect individuals’ privacy, leaving their data at risk of being misused. The failure to protect their customers’ sensitive data led to the ICO issuing Carphone Warehouse with a fine of £400,000.

Information Commissioner, Elizabeth Denham said:

“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

Although Cyber Attacks can be complicated, most attacks can be easily avoided. In the case of Carphone Warehouse’s breach, the attackers were able to access the system via out-of-date WordPress software. As the Information Commissioner stated, this is something that could have easily been avoided, especially for an Organisation as big and as well-resourced as Carphone Warehouse.

In total, the ICO found 11 separate failings in Carphone Warehouse’s security and information governance practices – each of which constituted as a breach of the Data Protection Act. Those failings included:

• A failure to take “adequate steps” to protect the personal information

• Important elements of the software being used on the systems affected were out of date

• A failure to carry out routine security testing

• A lack of defensible deletion policies

How could Carphone Warehouse have circumvented the Cyber Attack? By getting in touch with Vox Securitas (of course!)

Vox Securitas’ mission is to secure Organisation’s against Cyber Attacks, so companies like Carphone Warehouse can offer peace of mind to customers that their data is protected.

Even without IT experts to hand, SMEs and Charities can also put processes in place to protect their systems, data and reputation. Have you asked yourself the following questions about your Organisation’s cyber security?

From 25 May this year, the law is set to get more stringent as the General Data Protection Regulation (GDPR) comes into effect. *Data protection by design is one of the requirements and must be in every part of information processing, from the hardware and software to the procedures, guidelines, standards, and policies that an organisation has or should have.

Vox Securitas can assist your Organisation in implementing the best technical procedures and policies, through a Government-backed Cyber Security certification, and organisational processes in order to become GDPR compliant.