MoneySavingExpert.com homepage
Cutting your costs, fighting your corner
Founder, Martin Lewis · Editor-in-Chief, Marcus Herbert
Search bar closed.
MSE News

Carphone Warehouse fined £400,000 for customer data breach

rhs-carphonewarehouse
Callum Mason
Callum Mason
News Reporter
10 January 2018

Carphone Warehouse has been fined £400,000 following a cyber-attack in which more than three million customers' data was compromised.

The phone retailer's computer systems were hit in a cyber-attack when hackers gained access via out-of-date WordPress software.

Today the Information Commissioner's Office (ICO) has issued one of the largest fines in its history, after criticising the "systemic failures" of the company.

The incident, in 2015, allowed hackers to gain unauthorised access to the personal data of over three million customers and 1,000 employees.

The compromised customer data included names, addresses, phone numbers, dates of birth, marital statuses and – for about 18,000 customers – historical payment card details.

See 30+ Ways to Stop Scams for ways to protect yourself online.

What did the ICO investigation find?

Following an investigation, the ICO found multiple flaws in Carphone Warehouse's approach to data security and said the company had failed to take adequate steps to protect personal information.

Using valid login details, the hackers were able to access the system via out-of-date WordPress software.

The cyber-attack also exposed inadequacies in the organisation's technical security measures – parts of the software were out of date and the company failed to carry out routine security testing.

There were also inadequate measures in place to identify and delete historic data.

'The systemic failures related to rudimentary, commonplace measures'

Information Commissioner Elizabeth Denham said: "A company as large, well-resourced, and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.

"Carphone Warehouse should be at the top of its game when it comes to cybersecurity, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures."

Carphone Warehouse said in a statement: "As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties.

"Since the attack in 2015 we have worked extensively with cybersecurity experts to improve and upgrade our security systems and processes.

"We are very sorry for any distress or inconvenience the incident may have caused."

MSE Forum

Carphone Warehouse fined £400,000 for 2015 customer data breach

Forum image
MSE Email icon 3 December 2024

For all the latest deals, guides and loopholes simply sign up today - it’s spam free!

The truth about credit scores
Martin's need-knows
Compare+ Home Insurance
New MSE tool
Christmas consumer rights
12 must-knows
5.18% easy-access savings
Up to £20,000
50p photocard delivered
From Card Factory
Christmas light running costs
We've crunched the numbers
Coupons: 'Free' £2 crisps
Plus £2 off pizza
Tools and calculators

Clever ways to calculate your finances

Find your odds of getting top cards
Find your odds for getting a cheap loan
Compare broadband, phone & TV deals
Compares thousands of mortgages
Eight calcs to help you work out the cost
We ensure you’re on the cheapest tariff