The Information Commissioner’s Office (ICO) concluded after a detailed enquiry spanning more than two years that the company’s lax approach to security had enabled a compromise of a complex cluster of virtual servers between late July and early August 2015 – an incident that we reported at the time.
It has been determined that the cyberattack exposed the personal data of more than three million customers and 1,000 employees. The attackers gained access to a range of customer data such as names, addresses, phone numbers, dates of birth, and marital status. Making matters worse, the historical payment card details of some 18,000 customers were also compromised.
The ICO found multiple inadequacies in the company’s data security posture, concluding that Carphone Warehouse had failed to put in place adequate safeguards to protect the personal information. Information Commissioner Elizabeth Denham said:
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks … Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
How the attack unfolded
The incursion was discovered on August 5, 2015, and the company copped some flak for not going public with it until three days later. It has been found that the retailer’s system faced an attack between July 21 and August 5, at first originating from an IP address in Vietnam but later using more than one IP address in other locations.
As also detailed in the ICO’s report , the attackers first probed for weaknesses in the company’s systems. A WordPress installation on one of the websites maintained on the company’s system was found to be one such chink in its armor, as it was “considerably out-of-date, exposed to the internet, and suffered from multiple vulnerabilities”.
The report also notes that the intruders actually used valid login credentials for the WordPress admin account in order to access the system. Once in, the attackers uploaded what Carphone Warehouse described as “malicious plugins” in order to give themselves file management and database functionality over the system’s contents.
The miscreants then located credentials stored in plaintext and used them to scour local databases for information. In an apparent effort to extract as much information as possible, they accessed various databases, including one containing payment card information. There is a “very realistic possibility” that some or all of this information was sent out of the system, said the ICO.
The fine is just shy of the maximum penalty (£500,000) that the ICO can mete out for data security incidents. It is also on a par with the fine that the ICO handed down to TalkTalk in October 2016 over a data breach some 12 months earlier. The penalty can, however, be reduced by 20% if it’s settled early.
“Since the attack in 2015 we have worked extensively with cyber-security experts to improve and upgrade our security systems and processes,” Carphone Warehouse said in a statement quoted by the BBC. The incident involved the company’s online division, which runs websites OneStopPhoneShop.com, e2save.com and Mobiles.co.uk.
Author Tomáš Foltýn, ESET