Carphone Warehouse has been issued a £4,000 penalty from the ICO. After GDPR, that could be a measly fee.
Let’s pretend that you’re an awful, cavalier business owner who doesn’t care about cybersecurity. Imagine that you’re not bothered by a bit of business disruption, reputational damage doesn’t scare you and – if you’re totally honest – you don’t even care about your own customers.
Maybe that’s why the Information Commissioner’s Office (ICO) – which hands out penalties when businesses fail to properly protect personal data – opts for fines with lots of zeros rather than sending business leaders on the cybersecurity equivalent of a speed awareness course.
When Carphone Warehouse got hacked in 2015, the attack compromised the names, addresses, phone numbers, dates of birth, marital status and even the historical payment card details of some of its customers. You might remember the headlines; you might even have been affected. This hack was an example of the huge responsibility that big businesses have when holding lots of data.
On the issue, the Information Commissioner, Elizabeth Denham said: “Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.
“A company as large, well-resourced, and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.”
£400,000. That’s how much Carphone Warehouse was fined for their data breach. It’s one of the largest ever issued by the ICO. TalkTalk was hit with the same number for their similarly infamous breach. Could your business have survived that kind of fine?
To give you an idea of how serious this penalty is, it’s 80% of the maximum fine that the ICO can give. That’s a lot of money by anyone’s standards, but it’s small-fry when compared to the amount that they will be able to dole out post-GDPR.
Under General Data Protection Regulation (GDPR) (which is just months away, by the way) the maximum fine that the ICO can issue shoots up. You’ve probably heard the figures: €20 million or 4% of annual turnover, whichever is greater.
Let’s use Carphone Warehouse as an example of this monumental increase.
Last year Dixons Carphone, the parent company of Carphone Warehouse, announced a turnover of £447m. That means that their £400,000 fine equates to just 0.09% of the company’s turnover.
Under GDPR, the same fine (80% of the maximum penalty) would equate to a whopping £14,304,000.
Carphone Warehouse’s £400,000 data breach penalty could have cost the company £14,304,000 under #GDPR. #cybersecurity
Now, we’re not for needless scaremongering. The ICO has gone on record to reassure businesses that, for the most part, fines will be proportional – but with even a 1% fine from the ICO equating to £4,470,000, it’s perfectly reasonable to expect fines will increase.
Carphone Warehouse is not the cavalier, uncaring business we imagined earlier. They care about their customer’s well-being but were still caught out by what the ICO described as “distinct and significant inadequacies”.
What would a 1% fine mean to your business? Are you at the top of your security game?
PROsecure™ is our comprehensive security suite, combining the latest technology with in-house expertise to ensure that threats are identified, diagnosed and neutralised.