Oliver Price’s Weekly GDPR Blog #14 – Carphone Warehouse Data Breach – Action Required

This week I teamed up with Wiltshire Police and Avagio IT Systems to make the link between data protection, cyber security and worldwide criminality. The first major data protection prosecution decision this year highlights that action is required in the area of data and information security.
It is now well known that Carphone Warehouse had a major cyber attack during July and August 2015. They have been fined some £400,000 and in her decision the Information Commissioner, Elizabeth Denham criticised their cyber security arrangements. Sadly this reads in a similar way to a number of these sorts of decisions and she found Carphone Warehouse had failed to keep their software up to date, failed to keep their software patches up to date and used systems in relation to passwords that fell well below modern standards. Although it is not entirely certain it appears that the cyber attack came from Vietnam.
As you will be aware the fines from the 25 May 2018 will go up very substantially with the GDPR to either 4% of worldwide turnover or €20,000,000, whichever is the greater. Therefore under the new law one could expect to see a substantially higher fine (the present limit is £500,000). If you have not yet audited your cyber and information security arrangements then you should start doing that today.
12 January 2018

Last updated 15/01/2018