Carphone Warehouse has just been fined £400,000 by the UK Information Commissioner’s Office (ICO) as a result of a 2015 data breach.
While the numbers involved might be eye-wateringly large, the failures that led to the breach offer important lessons to us all.
The £400,000 fine is equal to the fine the ICO levied on TalkTalk after its massive data breach in 2015. At the time, it was the highest fine levied by the ICO.
The words of the ICO’s Information Commissioner Elizabeth Denham, in a statement issued on 10th January 2018, go some way to explaining the extent of the fine.
She said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
While the breach is worrying for the three million customers and 1,000 employees affected by it, the fact that a company as large as Carphone Warehouse is capable of failing to put in place “rudimentary measures” for cyber-security is a sobering thought for us all.
You might be wondering how this story about Carphone Warehouse is relevant to your small or medium sized business? Read on, and a little later in this article we look at what you can take from the mistakes Carphone Warehouse made, and what you can do to ensure something like this doesn't happen to your business...
In all, the ICO found 11 separate failings in Carphone Warehouse’s security and information governance practices – each of which constituted a breach of the Data Protection Act in itself. Among those failings, the ICO highlighted:
• A failure to take “adequate steps” to protect the personal information
• Important elements of the software in use on the systems affected were out of date
• A failure to carry out routine security testing
• A lack of defensible deletion policies
The attackers were able to access the system via an out-of-date WordPress software.
The fact a company the size of Carphone Warehouse, and with the IT resources it has access to, can fail on such basic security and data protection practices is a salutary lesson to us all. We can’t assume that cyber-security is “being done” – we need to put measures in place to actively ensure it is being carried out effectively.
The statement by the ICO highlighted the responsibilities organisations have to protect their staff, customers and other stakeholders and the data they hold on them. It drew attention to the “data protection by design” focus of the forthcoming EU General Data Protection Regulation (GDPR) which comes into force in May this year.
Under GDPR, organisations that fail to protect the data they hold on individuals will face significant fines of up to as much as 4% of annual turnover.
The increasing willingness of the ICO to levy fines of this magnitude signals the seriousness with which it takes these breaches. It is therefore incumbent that organisations of all kinds and all sizes learn the lessons from the Carphone Warehouse breach.
Even without access to expert IT resources, small and medium businesses can put processes in place that will help them to protect their systems, data and reputation. If you know your business isn’t as on top of cyber-security as it ought to be, Grant McGregor offers a Government-backed Cyber Security training certification, which is a good starting point.
All businesses should be asking themselves the following questions:
• What software is installed on which hardware?
• How is the software updated? (Not updating it can leave you open to hacks, data breaches, and fines – as the Carphone Warehouse example illustrates).
• Who is responsible for patch management and version & build updates on your software applications? Don’t assume – find out who, what, why and how frequently.
• Do you have legacy apps and operating systems that can’t be updated? What risk does this present?
• Where does data reside within your organisation? How is this protected?
• How informed are staff about the risks of out-of-date software, phishing attacks and the problems of sharing information online or via email? Do you need to initiate, update or refresh cyber-security awareness training?
It isn’t enough to assume that your software is being automatically patched, or that updates are the responsibility of your IT vendor or outsourcing company. Find out – and ensure clear lines of responsibility are drawn.
Create a Software Asset Register, so you know what you have where, and how up to date it is. Create an Information Asset register, so you know what data you have within the organisation, the risk this presents, and how it is protected. Ensure these registers are live systems and kept updated, so you have a clear picture of the risks and security measures within your organisation at any given moment.
Finally, since staff are often the weakest point of cyber-security – thanks to highly targeted phishing attacks and the foibles of social media – make sure you have the training and procedures in place to support staff in good cyber-security practice.
If you are concerned about your cyber-security, please get in touch.
Grant McGregor can offer you support in many aspects, helping you to ensure your organisation meets the expectations laid out in GDPR and how to protect your staff, data and organisation from cyber-attack.