Carphone Warehouse has been fined £400,000 after a security failure allowed unauthorised access to the personal data of millions of customers.
Criminals were able to access the personal data of more than three million customers and 1,000 employees in the 2015 cyber-attack.
The data included names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details.
Records for some Carphone Warehouse employees – including names, phone numbers, postcodes and car registrations – were also accessed.
The Information Commissioner’s Office (ICO) said to date there had been no evidence that it had resulted in identity theft or fraud.
Your data protection rights
When you buy goods and services, or sometimes even just visit a website, the organisations you deal with may collect information and data about you.
This might include your name, address and date of birth. This type of data, which is capable of identifying a living individual, is called ‘personal data’.
You have a right to know what personal data companies hold about you.
Safeguard your personal data
If you become aware that an organisation has lost your data, there are steps you can take to protect yourself and claim compensation.
This could include changing your passwords, keeping an eye on bank accounts and your credit report, as well as being mindful of unusual correspondence by asking yourself if it could be a scam.
If your data is lost and it causes you financial damage or distress, you may be able to make a claim for compensation from the organisation that lost your personal data.
Should you think your identity has been stolen as a result of a personal data breach, contact your bank or credit card company, and the police, as soon as possible to let them know the situation.
Which? is calling for a change in the law to ensure consumers do not lose out when their data is compromised. It follows research which found that almost one in 10 people who have shared their details online believe they have been subject to a data breach in the past year.
Inadequate handling of data
A detailed investigation found ‘multiple inadequacies’ in Carphone Warehouse’s approach to data security.
As a result, the investigation concluded that the company had failed to take adequate steps to protect the personal information.
Under the Data Protection Act, anyone who processes personal information must make sure that the information is secure.
Measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.