back to article Carphone Warehouse cops £400k fine after hack exposed 3 MEEELLION folks’ data

Carphone Warehouse has been handed one of the largest ever fines – a whopping £400,000 – from the UK’s data protection watchdog after exposing the details of millions of its customers. An investigation by the Information Commissioner’s Office found a “striking” number of “distinct and significant inadequacies” in the phone …

  1. Anonymous Coward
    Anonymous Coward

    What do Calamity Phone Warehouse and Twattwat have in common ?

    Oh yeah, Charles Dunstone or should that be Duncestone

    1. Tigra 07 Silver badge
      Thumb Up

      RE: AC

      *Dumbstone

      1. djstardust Silver badge

        Re: RE: AC

        Tombstone

  2. JimC Silver badge

    The word any

    - as in any loss or any inconvenience - should be banned from press releases!

  3. Doctor Syntax Silver badge

    “very sorry for any distress or inconvenience”

    Clear they can't get away with the ritual "only a few" so we get the second line of defence in weasel words: "any"(implying there may be none) and avoidance of the word "damage".

    Will journalists please learn to follow up this crap with searching questions?

    1. Anonymous Coward
      Anonymous Coward

      Often followed by "lessons have been learnt" - often after incidents where lives have been lost - a phrase that means absolutely nothing (unless qualified, which it never is).

      1. DJO Silver badge

        Oh yes, "lessons have be learnt" and that lesson is that paying the fine is cheaper than securing their data.

        Fines should be realistic and punitive, a minimum of £1 per user who has information compromised, doubling for any subsequent offences. After 3 such offences prison time should be an available penalty.

        1. CrazyOldCatMan Silver badge

          Fines should be realistic and punitive

          And will be under GDPR..

    2. Anonymous Coward
      Anonymous Coward

      But they didn't use the usual "we have no evidence that the information has been misused" and they didn't even offer to give you a pointless 12 months credit protection

  4. JimmyPage Silver badge
    Joke

    Once again, mention of compensation for victims ...

    only this time, I'll get the icon right ...

  5. Anonymous Coward
    Anonymous Coward

    GDPR

    Best get that penalty in before GDPR comes into force in May...

    https://www.itgovernance.co.uk/dpa-and-gdpr-penalties

    When the EU General Data Protection Regulation (GDPR) is enforced from 25 May 2018, breached organisations will find the fines they face increasing dramatically.

    From a theoretical maximum of £500,000 that the ICO could levy (in practice, the ICO has never issued a penalty higher than £400,000), penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.

    Even with Brexit, this legislation will be copied into UK law word for word (otherwise the UK wouldn't be deemed a safe harbour of data).

    1. Disgruntled of TW
      Stop

      Re: GDPR

      One has to ponder why the ICO has never dished out a £500K fine. Surely this Carphone Warehouse incident is as bad as it gets? GDPR would ensure 4% of global turnover underpins meaningful investment in operational security. Evidently, it gets little attention right now.

      1. Halfmad

        Re: GDPR

        It's the wrong mentality if you ask me, START at £500,000 and then reduce it to show where good practice was used, where speedy remediation was put into effect, where they notified ICO and those affected quickly.

        Don't start at £0 and count up, that's the wrong way. If companies aren't fast at notifying people, don't bother to do anything quickly and didn't in the past then they should always be hit with the maximum.

        1. CrazyOldCatMan Silver badge

          Re: GDPR

          START at £500,000 and then reduce it to show where good practice was used

          Ah - the (alleged) HMRC method of assessing fines. Unless you happen to be a large multi-national company or the CEO happens to be the brother of someone you went to Eton with..

    2. Anonymous Coward
      Anonymous Coward

      Re: GDPR

      penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.

      No, potential penalties will. But other UK and EU regulators have had 10% of turnover fines for years, few fines have ever come anywhere near the limit. Post GDPR, we can expect that fines will go up significantly. But I'll be amazed if the actual fines are anywhere near the potential maximum.

      1. Alan Brown Silver badge

        Re: GDPR

        "I'll be amazed if the actual fines are anywhere near the potential maximum."

        A few $LARGE ones will give the big players pause for thought though. £400k is in the noise.

      2. Wensleydale Cheese Silver badge

        Re: GDPR

        " other UK and EU regulators have had 10% of turnover fines for years, few fines have ever come anywhere near the limit.

        ...

        I'll be amazed if the actual fines are anywhere near the potential maximum."

        What happened with the TalkTalk fines was an example of this. TalkTalk got a significant reduction for "full cooperation".

  6. depicus

    Craphone Warehouse

    Who is surprised at a company which does everything on the cheap and treats their customers like shit would be anything but total *uckwads. Everything about Craphone Warehouse is rotten to the core.

  7. Cosmo

    Wordpress

    It's interesting that, from the report, the access was via valid WordPress login details, even though the version of WordPress itself was vulnerable.

    That points to either a disgustingly easy user/pass combo (admin/password) or an inside job where someone was possibly paid to disclose server details.

    1. Valeyard

      Re: Wordpress

      even admin on a wordpress install shouldn't do TOO much, but the webshell as plugin through the plugin install feature is as old as the hills, that thing must be ancient

    2. Anonymous Coward
      Anonymous Coward

      Re: Wordpress

      More than likely obtained from an open SW3 bucket. Gawd knows there's enough of them out there and given the Carphone Whorehouse reputation for slapdashery it's almost a given.

    3. PeterGriffin

      Re: Wordpress

      WordPress was exploited allowing access to the host. Credentials were located thereafter, if I read the article correctly.

  8. adam payne Silver badge

    Affected information included the names, dates of birth, addresses and phone numbers of more than 3 million customers; the staff records - including car registration numbers and work usernames - of 1,000 employees; and historic transaction details - like card numbers and expiry dates - for March 2010 to April 2011 for 18,231 payment cards

    So can we assume the card data was in plaintext?

    The hacker then located credentials in - yep, you guess it - plaintext, which they used to search and access information in numerous databases, including those containing personal data.

    Plaintext *shakes head*, how stupid can you be?

    1. Justicesays

      The issue here is not the plaintext credentials, but credentials being on an internet facing server at all.

      Looks like a shitty design decision to just establish a full database connection to the backend with full access to service the front end requests.

      Whereas the front end provided authentication should be piped through to the backend to establish a data access session in the context on the front-end user that wants to look up data.

      This would limit any data loss specifically to users that logged in during the breached period, as well as giving the opportunity to limit or redact data (like full credit card numbers in stored transactions) when presenting it to the frontend.

      1. Anonymous Coward
        Anonymous Coward

        Internet facing?

        You make the assumption that the system holding this was internet facing.... it might not have been.

        Sure, the system compromised initially by the exploit was, but after that.... could easily have been anywhere in their network if they hadn't properly isolated internet facing systems (and most rarely do to the level required) and even then its possible to gain deeper access in other ways...

      2. Anonymous Coward
        Anonymous Coward

        >> Whereas the front end provided authentication should be piped through to the backend to establish a data access session in the context on the front-end user that wants to look up data.

        It is fairly normal to have a single user account used by a web application to CRUD data from a database, with roles enforced within the web application.

        The problem here seems to be that the permissions for that database user weren't tightly scoped to the database/schema supporting the Wordpress instance, it was presumably a root account with access to EVERYTHING on the db server.

        This is rather sloppy.

        Unless they were using Wordpress to store personal data on CW customers, which would be an "interesting" approach.

  9. Tigra 07 Silver badge

    Eh?

    "It is particularly concerning that a number of the inadequacies related to needed for any such system"

    Is it just me or does this quote not make sense?

    1. PhilBuk

      Re: Eh?

      It's not you. Either a word or maybe an entire line missing.

      Phil.

  10. VinceH Silver badge

    "It is particularly concerning that a number of the inadequacies related to basic, commonplace measures needed for any such system."

    26 (2) in the report (page 13).

  11. Derichleau

    Time to start cashing in on the abuse

    I'm about to contact their legal team as they sent me an e-mail to inform me that I had not completed the check-out process. This is likely to be a contravention of Regulation 22 PECR and should be worth a few hundred quid in compensation.

  12. Anonymous Coward
    Anonymous Coward

    “very sorry for any distress or inconvenience”

    More disingenuous Corporate-speak! Here's what happened.. You ran your tech ops on a shoestring with sheer indifference, because you knew quite cynically, that the cost of fixing it wasn't worth it versus possible looming fines. Just the cost of doing business. Will GDPR fix this lazy reckless???

  13. Anonymous Coward
    Anonymous Coward

    “striking” number of “distinct and significant inadequacies”

    hey, no matter. What matters is that they, no doubt, take utmost care and employ breakthrough and cutting edge technology to ensure their customers data remains safe. Because they really care.

  14. The Original Steve

    Stores

    What really annoys me is that if I pop in to buy an unlocked phone they demand address and other details that are not required by law. No details, no sale.

    Which is fine, I took my business elsewhere.

    Rather glad I did now...

  15. Pascal Monett Silver badge

    FTFY

    "Since the attack in 2015 we have worked extensively with cyber security experts to create and implement our security systems and processes,” it said.

    There, that's better.

  16. Anonymous Coward
    Anonymous Coward

    Not surprised.

    I bought a phone from CW last week and noticed that their POS system is still running what looked like Win 95, (might have been XP with the start menu set to '95 mode), so it's hardly surprising to hear that there are systemic IT problems.

  17. Sam Therapy

    Currently owned by Dixons. What a surprise.

  18. Phil Endecott Silver badge

    £320,000

    if they pay by 7th Feb.

    1. Tim Jenkins

      Re: £320,000

      Love that there's an early payment discount, but only if you don't appeal. When did the ICO get taken over by ParkingEye?

  19. SarkyGit

    Not Even FST FFS

    I was amazed when I walked into my local Carphone Warehouse outlet in the Parkhead Forge retail park, Glasgow.

    They still have at least four CRT telly's above them behind the counter (yep, you read right CRT).

    I stood there gawping at what a baldy bastard I looked like on some sort of bulbous 24" (or thereabouts) colour TV screen from the nineties.

    The missus did all the talking (switching from one shitty broadband to another) so I never clocked their EPOS and can't comment on that.

    I just pointed and stared at the shiny reflective screens. In awe of the flickery glow. I pondered the magic, thinking of the electrons being magnetically aimed, then fired in succession towards the screen, at the speed of light, row after row and how it made the back of my head look like a full on friar tuck.

    I also remember it happened to me years ago, walked into the offie's* on Duke Street, stood in the queue staring at the CCTV telly, when I got to the front the lassie had obviously noticed the staring and said "Aye, everybody looks baldy in it, even the wummin. Wit dae ye wan't"**

    * Offie's: Shop where you buy booze to take to your home/mates/party

    ** Translation: "Yes, everyone looks as if they may be going a bit thin on top, including the ladies. Can I get you anything sir"

  20. Scott Tracy

    Slapped wrists all round

    So...what do you have to do to cop the maximum fine ?? Clearly has to be worse than exposing the details of three million (!) people. And how come their customers get no compensation (I am not a customer) ? And then Carphone Whorehouse, TalkisCheap and whoever is next get to carry on as though nothing has happened. If the same people remain in charge and therefore continue the same lazy culture and general ineptitiude regarding security of important data then it's only a matter of time til it happens again. Both companies continue to advertise allegedly great deals and most people will be totally unaware of what has happened. In our supoosedly advanced society we manage to have an inspection regime with gradings for food outlets (important), washing machines (useful but hardly critical) and sundry other applicances but nothing for ISPs, telcos and the like ?? Why not implement a system of grading on IT security, reviewed annually, which they have to display in all advertising ? Yes I know that's more bureaucracy but this is people's personal data we are talking about here - way too many people suffer from theft of personal data. Discounted £400K fines are hardly going to change the prevailing culture that people don't matter. Having to advertise a rubbish grading for a year might make companies think and might help people ask some questions when dealing with these companies.

    I'm sure there are better ideas out there, just my suggestion from frustration that nothing will change if all we do is dish out a few paltry fines occasionally.

  21. Nimby
    Mushroom

    Not nearly enough.

    I am still of the opinion that the proper way to handle such punishment is not to fine them, but to force them to put into an escrow account the cumulative maximum amount that could potentially be stolen from each customer bank account, credit card, etc. exposed and identifiable due to the breach. Which will be used to directly compensate any actual losses incurred by customers. Only after something like 5 years time will any remaining funds be returned back to the company, after removal of a 10% handling fee "fine". Further, for any criminal charges brought against hackers, identity thieves, etc. the head of IT and every manager above which can be proven to have known about their internal bad practices can be held legally liable as being complicit in / an accomplice to the actions of the hackers, identity thieves, etc. as without their negligence and indifference these breaches would not be possible. With a law like that, companies will quickly take proper security practices seriously and injured parties will be properly covered.

    1. JimC Silver badge

      Re: With a law like that,

      > the proper way to handle such punishment is not to fine them,

      >but to force them to put into an escrow account the cumulative

      > maximum amount that could potentially be stolen

      With a law like that, Directors will plunder as much as they possibly can out of the business and then declare it bankrupt before anything is paid out, and injured parties will get nothing...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019