On 10 January 2018, the UK ICO issued a fine to Carphone Warehouse amounting to £400,000, close to the maximum (of £500,000) under its current powers within the current (pre-GDPR) law. Carphone Warehouse's computer systems, which contained significant amounts of personal data including customer and employee records as well as historic transaction details, had been the subject of an external cyber-attack.
The ICO focused on what it saw as a series of basic errors which a company the size of Carphone should not have allowed to happen. Notably, even though there was no evidence of actual harm caused by this particular attack, the ICO focused on the absence of measures and the resulting risk of actual (and substantial) harm.
As well as acting as a reminder that large fines are a very real threat and consequence of data breaches - which threat will increase significantly under GDPR - this enforcement action imparts some key learnings for businesses. Businesses would be prudent to use their current GDPR compliance exercises as an opportunity to plug any potential holes in their information security regime, many of which are highlighted in these proceedings.
1. Basic hygiene is key
There were some basic features of security which the ICO found plainly should have been in place: there was no Web Application Firewall and no antivirus in place. Both of these were found to be departures from widely accepted standards, and in the latter case were also clearly a departure from Carphone's own policies.
2. Security is a lifecycle, not a one-off activity
The ICO found inadequate the vulnerability scanning and penetration testing measures in place, noting that no internal or external penetration testing had been conducted in the 12 months leading up to the attack. It also noted that 15 days elapsed between the first compromise by the attacker and Carphone's own detection systems triggering action to shut down the intrusion.
An emerging theme and increasing focus for regulators and courts in data breach cases is a failure of companies to adequately test, monitor and detect unauthorized access to the security systems implemented.
3. Upgrade paths and patching
The web application which was first compromised was materially out of date: later versions were available which would have reduced vulnerabilities. Patching practice was found to be seriously inadequate, and contrary to Carphone's own policies/standards.
Notably, these were found to be important factors in the decision to fine, even though there was no evidence that they would have prevented this particular attack.
4. Manage the data you actually hold
During the investigation it came to light that Carphone were not aware of the historic transactions and credit card data held on the particular system at the time: these appeared to have been retained unintentionally through initial application configuration. This cut little ice with the ICO, which felt that Carphone plainly should have had a better understanding of the data retained.
This focus on retention practices, understanding the data held on particular systems, and tailoring security accordingly, should be a key part of any current exercise to achieve GDPR compliance.
5. Causation of actual harm may not matter
The Commissioner noted that its real concern is with the measures put in place by Carphone, and their contraventions that exposed the contents of the system to very serious risks, rather than with the actual specific data breach. For the purposes of regulatory enforcement, whether actual harm was suffered is only a factor.
Fines can be issued simply for failing to maintain adequate measures. This is particularly the case where - as the ICO found in Carphone's case - the failings are multiple, basic, long standing, and affect a company which has the size and means to do something about it, as well as an inherent understanding of its attractiveness as a potential target.
6. Double-edged swords
According to the Commissioner Carphone did not take reasonable steps to prevent the contravention. It criticized particularly Carphone's lack of urgency to remediate potential deficiencies in its information security, which they were aware of, to some degree, pre-incident. This came from a number of sources:
- Carphone's own security reviews which had identified weaknesses (but remained unaddressed)
- Internal policies were not applied (patching, antivirus, testing)
- Other divisions had better measures in place, showing that organizationally Carphone understood the need for them
- Remediation measures taken immediately after the incident tended to demonstrate that they were available and could have been implemented earlier.
What seems clear is that an organization will be worse off when there is evidence that it understands the need for better measures, but has not taken them. This also raises questions of interest to litigators around the creation of disclosable documents which tend to emphasize that the organisation understood its own weaknesses.