Carphone Warehouse fined £400,000 for putting millions of customers’ data at risk

Following the news that Carphone Warehouse has been slapped with a £400,000 fine after one of the company’s computer systems was compromised as a result of a cyber-attack in 2015, putting millions of people’s data at risk, Andy Norton, Director of threat intelligence at malware protection firm Lastline and Tim Erlin, VP at Tripwire, explain how much more this fine would cost once GDPR is in effect:

Andy Norton, Director threat intelligence, Lastline:

“With a revenue of just over £10 billion pounds, Carphone Warehouse could of been fined up to £400 million pounds if the ICO had imposed the maximum fine of 4% of revenue under GDPR guidance.

“Clearly the ICO is signalling that its own internal view of data breach fines is not in line with European GDPR thinking. After May 25th, the imposition of mandatory heavy fines will go a long way to ensure that our personal data is protected. With the vast array of data breaches we see on an almost daily basis, it is more crucial than ever that organizations provision an automated breach defence system, that can prevent and prove that no PII data was taken. This would mean that there is no potential for harm and the ICO need not be involved. Without a state of the art breach defence system, our best advice to organisations is – Get Denial Plans Ready.”

Tim Erlin, VP, Tripwire:

A fine might be significant for Carphone Warehouse, but it doesn’t magically provide remediation for those affected by the breach.

As we’re facing the upcoming deadline for GDPR compliance, this fine is a good reminder for organizations that there is real money on the line for a lack of adequate controls in the face of a breach.