Penalty for Carphone Warehouse for lack of data protection
Carphone Warehouse claims to be the largest independent reseller of telecommunications equipment (primarily cell phones in the UK).
The company was the victim of a cyberattack in the summer of 2015, which, according to the UK’s data protection authority , originated in Vietnam . In the process, one of the company’s IT systems was targeted. This system contained a total of 3,348,869 customer records, which consisted of the following information:
- First and last name
- Date of birth
- Marital status
- Current and former residential addresses
- Telefonnummer
- E-Mail Adresse
In 389 records, the user’s password was also included. Furthermore, transaction details for the period March 2010 to April 2011 were found, these contained a total of 18,231 credit card details, with one record consisting of cardholder, address, expiration date, credit card number and verification number.
In addition to this customer data, employee data (approximately 1,000 records) was also found; this contained the following data:
- First and last name
- postcode
- Company email address and username
- Business and home phone number
- Registration number of the private vehicle
- Responsible company department and name of supervisor
Course of the attack
Among other things, various company websites were also stored on the system, including a homepage with an outdated WordPress instance from 2009. The already known vulnerabilities were used to gain access to the WordPress instance. The attackers installed several webshells and were thus able to gain access to the underlying system, which is why the entire server could be taken over. This allowed access to the file system, where the attackers found unencrypted access data for various databases, which were then accessed. Data was copied from the system, the attackers grabbed large amounts of data, which is why the attack was eventually noticed by employees.
Investigation by data protection authority
During its investigation, the data protection authority found that basic security measures had not been implemented. Various software was not up to date. Furthermore, the password of the administrator account was known to 30-40 people and was identical to that of many other systems. The lack of a web application firewall (WAF) was also criticized, which would have prevented the attack with a high degree of probability, according to the specialist company involved.
In addition to these technical deficiencies, the data protection authority also criticized the fact that the storage of various data was inappropriate. Retaining credit card data from five-year-old transactions has been illegal.
Fine
The data protection authority fined the company £400,000 (approximately €460,000) as a result of the deficiencies. The decisive factor was the obvious technical deficiencies, which made the attack possible in the first place.
As the incident occurred before the GDPR came into force, the UK Data Protection Act (DPA) applied, which provided for a maximum fine of £500,000.
Entscheidungsdatum:
18.01.2019
Land:
Great Britain
Art des Verstoßes:
Theft of Data
Betroffene Datensätze:
3 348 869
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 460,000,-
Violation of GDPR Paragraph:
24. Responsibility of the controller
25. Data protection by design and by default
32. Security of processing
5. Principles relating to personal data processing
Quelle:
Communication from the UK data protection authority ICO (English)