Punishment for Carphone Warehouse for lack of data protection
Carphone Warehouse claims to be the largest independent reseller of telecommunications equipment (predominantly mobile phones in the UK).
The company was the victim of a cyber attack in the summer of 2015, which, according to the British Data Protection Authority, was from Vietnam. A computer system of the company was the target. This system contained a total of 3,348,869 customer records, which hold of the following information:
- First and Last Name
- Date of birth
- marital status
- Current and former residential addresses
- phone number
- e-mail address
A total of 389 records also had the password of the users included. In addition, transaction details for the period March 2010 to April 2011 were found, containing a total of 18,231 credit card details (with cardholder, address, expiration date, credit card number and verification number).
In addition to these customer data, employee data (about 1,000 data records) were also found, which contained the following information:
- First and Last Name
- Post Code
- E-mail address and user name in the company
- Business and private telephone number
- License plate of the private vehicle
- responsible company department and name of supervisor
Expiration of the attack
Among other things, various corporate websites were also stored on the server, including a homepage with an outdated WordPress installation from year 2009. The known vulnerabilities were used to gain access. The attackers installed several Webshells and were able to gain access to the underlying system, so the entire server could be taken over. This allowed access to the file system, where the attackers found unencrypted access data for various databases, which were then accessed. Data were copied from the system.
Investigation by the Data Protection Authority
The DPA found during their investigation that basic security measures has not been implemented. Various software was not up to date. Furthermore, the password of the administrator account was known by 30-40 people and was identical to that of many other systems. Also the lack of a Web Application Firewall (WAF) was criticized, which would have prevented the attack with high probability according to consulted specialized company.
In addition to these technical deficiencies, the DPA also criticized that the storage of various data was inappropriate. The removal of credit card data from five-year-old transactions has been inadmissible.
The DPA imposed a fine of £ 400,000 (approximately € 460,000) on the company due to the deficiencies. Decisive were the obvious technical defects, which made the attack possible.
Since the incident occurred before GDPR, the British Data Protection Act (DPA) was applied, which provided for a maximum fine of £ 500,000.
The computer systems of companies must be state-of-the-art all the time. Measures which are sufficent today, can be obsolete in next year. To have your computer systems state-of-the-art the whole time, it is necessary to have a tool, which helps you. easyGDPR does not only show you, which measures are necessary, in addition it creates the mandatory GDPR documentation and ensures that your data processing is lawful.
Art des Verstoßes:
Theft of Data
3 348 869
Waren sensible Daten betroffen?:
Violation of GDPR Paragraph:
24. Responsibility of the controller
25. Data protection by design and by default
32. Security of processing
5. Principles relating to personal data processing