Business

Policy

Carphone Warehouse cops £400k fine after hack exposed 3 MEEELLION folks’ data

ICO: Seriously insecure system allowed unauthorised access to DB

By Rebecca Hill

42 SHARE

Carphone Warehouse has been handed one of the largest ever fines – a whopping £400,000 – from the UK’s data protection watchdog after exposing the details of millions of its customers.

An investigation by the Information Commissioner’s Office found a “striking” number of “distinct and significant inadequacies” in the phone company’s security arrangements.

This allowed the miscreants behind a cyber attack that originated from an IP address in Vietnam in the summer of 2015 - and which went on for a whopping 15 days before being detected - to gain access to millions of individuals personal information.

Commissioner Elizabeth Denham said: “The deficiencies in Carphone Warehouse’s technical and organisational measures created real risks of such data breaches [and] played an essential causal role in this particular incident.”

Affected information included the names, dates of birth, addresses and phone numbers of more than 3 million customers; the staff records - including car registration numbers and work usernames - of 1,000 employees; and historic transaction details - like card numbers and expiry dates - for March 2010 to April 2011 for 18,231 payment cards.

The £400,000 fine matches the record fine doled out to TalkTalk in 2016, with the ICO saying that the “glaring shortcomings” in Carphone Warehouse’s systems should have been identified earlier.

“It is particularly concerning that a number of the inadequacies related to basic, commonplace measures needed for any such system,” commissioner Denham said in her report.

“These inadequacies appear to have persisted over a relatively long period of time, given how easily and quickly some of these glaring shortcoming should have been identified and remedied.”

The report (PDF) details the vulns exploited by the attacker, who made a scan of the system using penetration testing tool Nikto.

It identified a “considerably out-of-date” WordPress installation that was exposed to the internet and “suffered from multiple vulnerabilities” the ICO said.

Via the WordPress installation, the attacker/s entered the system and uploaded web shells that were intended to give themselves basic file management and database functionality.

The hacker then located credentials in - yep, you guess it - plaintext, which they used to search and access information in numerous databases, including those containing personal data.

The ICO said the apparent aim was to extract “as much information as possible”. For instance, the payment information was located and accessed, with “a very realistic possibility” that it was exported.

The attacker also prepared and extracted a large file or files from the network, the contents of which cannot be determined - but the firm has worked on the worst-case assumption that they contained personal data.

As part of its assessment, the ICO commissioned two reports, which concluded that the attacker “clearly had everything he needed to take hold of the system and extract a large amount of information quickly”.

Carphone Warehouse said in a statement that it accepts the decision and is “very sorry for any distress or inconvenience” caused.

“Since the attack in 2015 we have worked extensively with cyber security experts to improve and upgrade our security systems and processes,” it said. ®

Sign up to our NewsletterGet IT in your inbox daily

42 Comments

More from The Register

Carphone Warehouse given a stern talking to for 'misleading' radio ad

Three's a crowd, and a 'major competitor', says watchdog

Dixons to shutter 92 UK Carphone Warehouse shops after profit warning

New CEO: 'It's all fixable'

Schadenfreude for UK mobile networks over the tumult at Carphone

Analysis That's what you get for selling unlocked phones

Hello, Dixons Carphone? Yep, we're ringing from a 2015 handset. Profits down 60%, eh?

Store closures on the way? Did someone mention Brexit?

Dixons Carphone profits drop 24% amid hack 'n' high street struggles

CEO puts on a happy face

Brexit, schmexit: Christmas sales up 4 per cent at Dixons Carphone

Firm defies forecasts despite warnings of 'uncertain times'

Dixons Carphone stirs PC Curry, reports 10% profit gravy

Record £500m full-year figure for borg

Huge hack attack: UK data cops to probe Carphone Warehouse breach

2.4 million customers at risk after personal info stolen

Carphone Warehouse, RootMetrics ink data deal, declare customer love

Software shows the signals

Hackers hid Carphone Warehouse breach with DDoS smokescreen – report

Crims aim to cause just enough chaos to get in and out