The UK data protection regulator, the Information Commissioner’s Office (ICO) issued a monetary penalty to the Carphone Warehouse Limited for £400,000 on the 10 January 2018 relating to a data breach. The fine is 80% of the current maximum under the Data Protection Act 1998 (DPA 1998).
What was all this about?
Carphone Warehouse had a set of virtual servers hosting significant amounts of personal data including personal records for 3,348,869 customers. The records for each customer included their name, date of birth, marital status, address, phone number and email address. There were other records on the system as well, including some historic credit card details for some customers and records of approximately 1,000 employees which also included things like their car registration numbers.
Over a 15 day period in 2015, Carphone Warehouse were subjected to a cyber attack from an IP address in Vietnam. A common penetration testing tool was used to test vulnerabilities and a vulnerability was discovered in Carphone Warehouse’s WordPress web publishing system. Its WordPress software was out of date and exposed to the internet. Carphone Warehouse told the ICO that valid log-in credentials were used to access the WordPress administrative account.
The attacker extracted some files from the system although Carphone Warehouse is not sure what it lost. The ICO feel that the likely interpretation is that those files did contain personal data.
Was any expert evidence involved?
Carphone Warehouse commissioned 2 specialist investigators who prepared reports which were shown to the ICO. A third report was then shown to the ICO after the Commissioner had let Carphone Warehouse know of her intention to take action.
Why did the ICO take action?
The ICO took action over the Seventh Data Protection Principle in DPA 1998 which says:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The Monetary Penalty Notice gives detailed reasons for why the Commissioner thinks that in this case.
Did the ICO take any mitigating factors into account?
Yes. The ICO did feel that there were a number of mitigating factors including:
- Carphone Warehouse had a program in place to improve its information security measures.
- Carphone Warehouse quickly took a number of remedial actions to fix problems and to help data subjects.
- There was no evidence of identity theft.
- The credit card data at risk was historic and less useful for fraud as a result.
- Carphone Warehouse pro-actively reported the breach and co-operated with the ICO.
Against this though the ICO determined that there were a number of aggravating factors, including the fact that as a technology business, particularly one involved with telecoms networks, they should have done better.
Does this open the door for civil actions?
Civil actions from some of the victims – for example mobile phone subscribers or employees could be a possibility. The risk of litigation in this area has in increased since the findings of vicarious liability in the Morrisons case – you can see our alert and film on that case here: http://www.corderycompliance.com/client-alert-morrisons-data-breach-litigation-succeeds/. Unlike in the Morrisons case there is no identified rogue employee here and so it may be more likely that any proceedings are commenced against Carphone Warehouse on the basis of their failure to take adequate security measures. There is, however, no suggestion in this case that any individual suffered harm as a result of the attack. This might however not be a complete bar to a claim following the Google v. Vidal-Hall case in 2016 which we discussed here http://www.corderycompliance.com/vidal-hall-data-protection-class-action-appeal-settled/
What about GDPR?
As almost every organisation knows, GDPR comes in on the 25 May this year. GDPR includes the possibility of higher fines. In this case the fines (based on the last turnover figures) could be as high as £423m, although the Information Commissioner has said on a number of occasions she has no intention of fining to the maximum level. GDPR does certainly increase the attention an organisation must pay to data security. There are more details in GDPR Navigator (http://www.corderycompliance.com/gh-cordery-gdpr-navigator/) including:
- a training film on the security obligations GDPR imposes on companies;
- a specimen data breach report plan;
- a specimen data breach template;
- detailed guidance on the security provisions of GDPR;
- detailed guidance on fine determination under GDPR; and
- a specimen data breach log.
This case also shows the need to act quickly. Under GDPR security braches like this will in most cases have to be reported to a data protection regulator within 72 hours. Cordery’s Data Breach Academy helps organisations get ready for those new reporting requirements. There are details here: http://www.corderycompliance.com/cordery-data-breach-academy/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|