Carphone Warehouse has recently been fined £400,000 by the ICO following a hack which resulted in unauthorised access to records containing personal data of over 3 million customers and employees.
There were a number of security failings identified, and whilst the ICO recognised that not all of the failings if rectified could have prevented the hack, such failings were still a breach of the Data Protection Act. This, combined with the number of individuals affected, has resulted in one of the largest fines issued by the ICO to date.
Below are 3 lessons that can be learnt at Carphone Warehouse’s expense.
Keep software updated
There were important elements in Carphone Warehouse’s system that were out of date, which made it easier for the hacker to take over the system and access large volumes of data.
Remember that what’s appropriate now may not be appropriate in the future, so keep systems (and also your whole overall data protection programme) under review and up-to-date.
Put policies in place – and abide by them, it’s not ok to just stick them in the cupboard!
Carphone Warehouse’s policies stated that they would have appropriate antivirus protection and carry out annual penetration testing, however the ICO identified that this wasn’t the case demonstrating that these policies weren’t being followed.
Whilst the ICO recognised that these steps may not have prevented this attack, it stated that this showed a “significant organisational deficiency”.
Policies should be regularly reviewed and maintained and you should ensure that they are embedded into your organisation’s culture.
Understand what data you hold
Carphone Warehouse’s system contained historical and credit card data which it was unaware of and had no need to retain. The ICO stated that this shows “an inadequate understanding of its IT systems architecture” without which “security arrangements are likely to be inadequate”.
Arguably the first step of your data protection programme should be to understand what data you hold, why and how long you need to keep it for.
If you need help with any data protection issues, please see our GDPRs page to see how we can help.