LONDON (Reuters) – Britain’s information regulator said on Wednesday it had fined Carphone Warehouse 400,000 pounds ($539,400) after a 2015 cyber attack exposed the personal data of more than 3 million customers.
The Information Commissioner’s Office (ICO) said the electrical goods and mobile phone retailer, owned by Dixons Carphone, left its systems vulnerable by failing to update its software and carry out routine testing.
“A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,” Information Commissioner Elizabeth Denham said in a statement, adding that the fine was one of the biggest that the ICO had issued.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
Cyberattackers used valid login details to access Carphone Warehouse’s system through an out-of-date version of content platform WordPress, the ICO said.
The compromised personal data included names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, their historical payment card details.
Records for some employees of the retailer were also compromised, although the Commissioner said there was no evidence of identity theft as a result of the attack.
A spokesman for Carphone Warehouse said the company had co-operated fully with the investigation and accepted the ICO’s decision.
“We moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues,” the spokesman said.
“Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes.”
Reporting by Kate Holton and Alistair Smout, Editing by Stephen Addison