The ICO has confirmed that it has fined Carphone Warehouse £400,000 for its data breach in 2015 that compromised the personal details of more than 3 million customers and 1,000 employees. Information at risk included names, addresses, phone numbers, dates of birth, historical payment card details and car registrations. The breach occurred after one of the company’s computer systems was compromised and the investigation also found that Carphone Warehouse’s technical security measures were inadequate; with software out of data and routine security testing not happening.
Aaron Higbee, CTO and co-founder of PhishMe offers the following comment on why this proves that cyber security requires more than plug-and-play technology:
“By issuing one of the largest fines for a data breach, the ICO has maintained its strong stance against companies failing to take security seriously. While, in this case, there were basic technical security measures overlooked, it goes to show how important it is to secure an organisation from multiple angles. We know no singular technology solution can guarantee data breach prevention, which reinforces why technology alone isn’t enough to defend against today’s top threats. It’s time to improve our human focused defences, alongside optimising our technology stacks, in order to stay ahead of evolving attacks and improve defence postures.
“With the right tools and training, a company’s employees should be able to identify and report potentially suspicious activity on a company’s network and can, in fact, become a strong line of defence. By encouraging employees to regularly report emails, for example, susceptibility rates to phishing emails drop significantly, while increasing speeds on incident response efforts. Too often firms look at their employees as the weakest link, however when conditioned and empowered effectively, they’re transformed into one of the enterprise’s strongest defence. After all, as was the case with Carphone Warehouse, it is often the staff that bear the brunt of breach.”