Andy Norton, director of threat intelligence at Lastline, added: "With a revenue of just over £10bn, Carphone Warehouse could have been fined up to £400m if the ICO had imposed the maximum fine of 4 per cent of revenue under GDPR guidance".
In a statement, Carphone Warehouse also clarified: "We accept today's decision by the ICO and have co-operated fully throughout its investigation into the illegal cyber-attack on a specific system within one of Carphone Warehouse's United Kingdom divisions in 2015".
In a statement, Carphone Warehouse said: "We accept today's decision by the ICO and have co-operated fully throughout its investigation into the illegal cyber-attack on a specific system within one of Carphone Warehouse's United Kingdom divisions in 2015". Even though the hack was long-forgotten until today, Information Commissioner Elizabeth Denham took the opportunity to twist the knife and wag a stern finger at the retailer.
ICO deemed the breach to be disappointing as a company the size of Carphone Warehouse should have been 'actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks'.
Following a detailed investigation, the ICO identified multiple inadequacies in Carphone Warehouse's approach to data security and determined that the company had failed to take adequate steps to protect the personal information.
In October 2016, TalkTalk was also issued with a then record fine of £400,000 for the cyber attack in 2015 that exposed the personal details of more than 150,000 customers, and then, less than 10 months later in August 2017, the ICO fined the company a further £100,000 for failing to look after customers' data.
"Once the GDPR is implemented, any organisation that puts the data of its European customers at risk will not only face eye-watering fines, such as those suffered by Carphone Warehouse, but will also be subject to crippling reputational damage".
Carphone Warehouse, which tells us that it'll only have to hand over £320,000 due to early payment, said in a statement sent to V3: "We accept today's decision by the ICO and have co-operated fully throughout its investigation into the illegal cyberattack on a specific system within one of Carphone Warehouse's United Kingdom divisions in 2015".
The attack saw the personal details of three million customers accessed, including their names, addresses, dates of birth, phone numbers and marital status.
The measures used to identify and destroy historical data were also deemed inadequate. Carphone Warehouse and the ICO have found no evidence of fraud or identity theft from the data breach.
These failures violated the UK's Data Protection Act.
It said that as a major "data controller", the Carphone Warehouse should have used systems to comply with "the data protection principles".
"It is particularly concerning that a number of the inadequacies related to basic, commonplace measures needed for any such system", commissioner Denham said in her report.
"It is also a shot across the bow of such companies in the run-up to GDPR".