On January 8, 2017, the UK Information Commissioner (“ICO”) issued an unprecedented monetary penalty of £400,000 against British mobile phone retailer, The Car Phone Warehouse Limited. Following an attack on their system in 2015, the ICO found that the company had failed to take adequate steps to protect the personal data it held on its system.

Between July and August 2015, the system hosting the company’s internal and external websites, which included personal data (including payment card data) of over 3,348,000 customers and 1,000 employees, was subject to an external cyber attack. In its decision, the ICO meticulously detailed the chronology of events and technical failures that led to the breach. The ICO found that the attacker entered and took hold of the system quickly and easily due to the company’s security deficiencies, which included:

  • the system’s software was years out of date;
  • software patching was seriously inadequate and no measures were in place to check whether the software updates or patches were implemented in accordance with the company’s policy;
  • the company did not have measures in place to control access credentials;
  • adequate vulnerability scanning and penetration testing measures were not in place at the time;
  • the company had no Web Application Firewall for monitoring traffic to and from its web applications, contrary to accepted security standards;
  • the system’s servers did not have antivirus technology, which was contrary to the company’s policy and accepted security standards;
  • the operating system on the servers all had the same password shared by more than 30 employees;
  • personal data was retained without good reason and inadequate measures were in place to identify and purge historic data; and
  • the encryption keys for historical transactions were not stored safely.

The ICO concluded that these facts constituted a multi-faceted violation of the Data Protection Principle 7 included in the Data Protection Act of 1998, which provides that appropriate technical and organizational measures should be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This decision sets the tone for companies at the dawn of the entry into force of the GDPR. The ICO, in its public announcement of the decision, emphasized the importance of the Privacy by Design principle included in the GDPR, which requires companies to ensure that strong IT governance and information security measures are in place, tested and refreshed to comply with the provisions of the law.