The news of a massive data breach at Dixons Carphone recently came as a big shock to many. Others (like our Director) rolled their eyes and said it was expected! It is, after all, only 3 years since the Carphone Warehouse part of the business suffered a massive data breach at the hands of hackers. This led to the ICO issuing, in January 2018, one of their largest ever fines of £400,000.
The Information Commissioner, on announcing the fine said “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks. Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures”
Strong words and one would assume that since the breach was discovered in August 2015, Carphone Warehouse would indeed have raised its game considerably and, not only that, have taken data security much more seriously during due diligence for the 2014 merger with Dixons, to become Dixons Carphone.
This time the breach involved an attempt to compromise 5.8 million customer credit and debit cards via a hacking attempt on a purchasing system used by Dixons Travel, PC World and Currys. Thanks to the chip and pin security, many of the cards were protected but that is pure luck, and not through any design or proactivity by Dixons Carphone! Echoing the Information Commissioner’s words, a company as large, well-resourced and established as Dixons Carphone, should have been actively assessing its data security systems and ensuring systems were robust and not vulnerable to attacks and should be at the top of its game when it comes to cyber-security.
Clearly, lessons have not been learned in the intervening 3 year period – the previous and recently chief executive statements seem eerily similar.
Possibly more shocking was the reporting that many computers didn’t even have firewalls (at PC World?!) and up to 40 staff in stores shared one password in some instances. As anyone who has attended our training and awareness courses will know, we list this kind of human error as a failure of basic principles of security in its simplest form – any rules or guidance that had been put in place had simply not been adhered to. This is often the case in our experience, and it’s not ‘new’ news that security is sacrificed for expediency by staff who often don’t know any better, or who have not received adequate training.
This second blow to the reputation of the former Carphone Warehouse, in its new guise as Dixons Carphone, is incredibly damaging, and there will inevitably be new fines levied from the ICO in due course. Currently, the ICO are investigating whether the latest breach will be dealt with under the previous DPA 1998 rules (and lower level fines) or the upgraded rule held in the GDPR and DPA 2018. Some tense times ahead for the Dixons Carphone shareholders!
Are there any lessons to learn?
Your business may be a minnow in relation to the whale that is Dixons Carphone, but the lessons to be learned are the same – IT security, or lack of, cannot be excused. Firewalls, passwords, due diligence on the software systems that you employ are basic building blocks of an IT security policy.
Start at the bottom up. Look at the basics. Above all, ensure your team understands the part they play – deliver appropriate training and awareness, not just as a one-off exercise, but at regular intervals as part of your ongoing data protection maintenance. If it isn’t a top priority in your business, make it one now; don’t allow complacency to put your business at risk.