In 2015 Carphone Warehouse experienced a cyberattack on one of its computer systems. The system contained large quantities of personal data, including records comprising the names and addresses of customers and employees and payment card information. The attacker used valid login credentials to access the system via out-of-date WordPress software. The attacker was then able to access the personal data of over three million customers and 1,000 employees.
According to the ICO, the incident exposed the inadequacies in Carphone Warehouse's technical security measures and overall approach to data security. The ICO added that the company failed to carry out routine security testing and had not updated a number of pieces of important software on its computer systems. The ICO considered this to be a serious contravention of the Data Protection Act 1998 and issued a fine of £400,000.
This serves as a reminder that the ICO takes a lack of adequate technical and organisational security measures very seriously. Organisations should ensure that they have appropriate measure in place to keep personal data secure. Software should be kept up to date and the system routinely tested to ensure its secruity.