UK: ICO slams Carphone Warehouse with £400,000 penalty; inadequate security contributed to 2015 hack
If you’ve been following along since 2015, you may recall a breach involving Carphone Warehouse that was first disclosed in August, 2015. At the time, we were told that the hack affected 2.4 million customers’ data and about 90,000 customers’ credit cards.
Fast forward to today, when the U.K.’s Information Commissioner announced that it has imposed one of its largest fines ever for a data protection failure – £400,000 (USD $540,704.66). And according to the ICO,
The company’s failure to secure the system allowed unauthorised access to the personal data of over three million customers and 1,000 employees.
The compromised customer data included: names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details.
The records for some Carphone Warehouse employees, including name, phone numbers, postcode, and car registration were also accessed.
Similar to the type of analysis done by the Federal Trade Commission in the U.S., the ICO fined CW after identifying multiple inadequacies in Carphone Warehouse’s approach to data security and determining that the company had failed to take adequate steps to protect the personal information. Unlike the FTC, however the ICO has the authority to impose monetary penalties for failures to provide adequate data security. The FTC may only impose monetary penalties for breaches if the breach is not the first breach and occurred because a previous corrective action plan was not adhered to.
And once again we see that in the UK, entities can suffer consequences even if there is no evidence of misuse of data or other tangible/financial harms from an incident. That issue of harm continues to be a stumbling block in U.S. litigation, with Daniel Solve and Danielle Citron arguing in an upcomingTexas Law Review article, Risk and Anxiety: A Theory of Data Breach Harms , that the issue of harm needs a serious rethinking because U.S. courts are too quick to conclude that data breaches don’t create harm.
You can access the ICO’s monetary penalty notice in the Carphone Warehouse case here (pdf).