The UK Privacy Regulator Imposes an Unprecedented Fine for Inadequate Data Security

The United Kingdom’s Information Commissioner’s Office (ICO), the UK privacy regulator, has imposed an unprecedented fine of £400,000 against the British telecommunications retailer Carphone Warehouse. The action was taken as an aftermath of a cyber-attack that compromised personal data of more than three million Carphone Warehouse consumers and 1,000 employees. The ICO found that Carphone Warehouse violated the UK Data Protection Act’s requirement to implement appropriate technical and organizational measures to prevent unauthorized and unlawful access to personal data. 

The ICO determined that the cyber-attack was made possible due to security vulnerabilities and inadequacies in Carphone Warehouse's systems that were not addressed, even though the company could have known of the significant risk to its customers’ personal data. According to the ICO, the company violated the DPA in various ways such as:

  • At the time of the attack, Carphone Warehouse had no web Application Firewall (WAF) for monitoring and filtering traffic to and from its web application 
  • Carphone Warehouse did not enforce password policies that would prevent the use of the same administrator password by employees
  • Carphone Warehouse retained large amount of unnecessary personal data
  • Carphone Warehouse’s encryption keys were stored in the plaintext of the source code, an deficient practice in terms of data security.