Among the failures the ICO identified were the use of software which was “many years out of date”, having previously been updated six years before the attack; a lack of “rigorous controls” over who had login details to the system; and storing full credit card details with “no good reason” to do so.
Information Commissioner Elizabeth Denham said: "A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
The compromised customer data included names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details. In total over 3 million customers and 1,000 employees were put at risk, although there was no evidence of any individual data having been used by third parties.
While the ICO has been keen to play down the prospect of huge fines under GDPR, Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, described the move as "a shot across the bows in the run-up to GDPR". She added: "While it is a relatively large headline figure, it is a fraction of what is possible under the new Regulation.”
Parent company Dixons Carphone had an annual revenue of £10.58bn in 2017; under GDPR it could have faced a fine of 4% of that figure, £423m.
In a statement, Carphone Warehouse said: “We accept today’s decision by the ICO and have co-operated fully throughout its investigation into the illegal cyber-attack on a specific system within one of Carphone Warehouse’s UK divisions in 2015.
“As the ICO notes in its report, we moved quickly at the time to secure our systems, to put in place additional security measures and to inform the ICO and potentially affected customers and colleagues. The ICO noted that there was no evidence of any individual data having been used by third parties.”
The only other company to have been hit by such a penalty was TalkTalk, which was spun out of Carphone Warehouse in 2010.