In case you missed this news from last week, Carphone Warehouse was fined £400k after a 'serious failures' placed customer data at risk. This was one of the largest fines by the ICO to date - though such significant fines (and even larger fines) are set to become more common when GDPR comes into force on 25 May.
The fine was issued because one of Carphone Warehouse's computer systems was subjected to a cyber-attack in 2015, and Carphone Warehouse was blamed for failing to adequately secure the system. The attackers gained access by using valid login credentials to access the system through out-of-date WordPress software.
The cyber-attackers gained access to the personal data of over 3,000,000 customers and 1,000 employees.
The ICO did acknowledge that Carphone Warehouse had taken steps to fix some of the problems once detected, and to protect the individuals whose data was affected. The Information Commissioner also acknowledged that there was no actual evidence that the data breach had resulted in any misuse of the data which was rendered accessible by the attack.
However, the ICO considered that Carphone Warehouse had not adequately protected consumers' data. In particular, they had inadequate measures in place to identify and purge historic data, and failed to carry out adequate routine security testing.
While the title of this article is admittedly slightly provocative, the point is that even though businesses may consider themselves to be the 'victims' of cyber attacks, the ICO takes a different approach. They consider the victims to be those whose data is accessed through such breach. The cyber attackers are often out of reach, which is why the business responsible for holding, processing and securing the data is held responsible. This is why the ICO will closely examine whether the business is at fault in any way (e.g. by failing to implement adequate regular security checks, or failing to ensure that all the relevant software is up to date, or failing to purge old data).
* * *
The ICO urges all companies and public bodies to ensure that they have strong IT governance and information security measures in place, and that they regularly test and refresh them to comply with the law.
You can also find useful guidance from the National Cyber Security Centre (NCSC) on the steps organisations can take to protect themselves
“There will always be attempts to breach organisations’ systems and cyber-attacks are becoming more frequent as adversaries become more determined. “But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees.” ... “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. “Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.” - Information Commissioner, Elizabeth Denham.