Anatomy of a Breach

Anatomy of a Breach: Carphone Warehouse — 2.4 Million Customers and an ICO £400,000 Fine

> series: anatomy_of_a_breach —— part: 081 —— target: carphone_warehouse —— customers: 2,400,000 —— fine: £400,000<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2015 12 min read
data-breach carphone-warehouse uk-breach ico-fine outdated-software retail telecoms series
Breach #081

2.4 million UK customers. Outdated software. £400,000 ICO fine.

On 8 August 2015, Carphone Warehouse disclosed that a cyber attack on a division running its online services — OneStopPhoneShop.com, e2save.com, and Mobiles.co.uk — had potentially compromised the personal data of up to 2.4 million customers and 90,000 encrypted credit card records. The stolen data included names, addresses, dates of birth, and bank details. The attack had been discovered on 5 August, approximately two weeks after the initial intrusion.

The ICO's investigation found systemic security failings: the company was running outdated WordPress software with known vulnerabilities, had not conducted adequate security testing, lacked a Web Application Firewall, and did not have rigorous enough security measures in place. The ICO fined Carphone Warehouse £400,000 — its largest fine at the time — and the enforcement notice read like a catalogue of basic security controls that should have been in place but were not. Every failing identified by the ICO would have been found by a routine web application penetration test.

The ICO Findings
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Every failing was basic, known, and preventable.

Outdated WordPress Installation
The compromised systems ran outdated WordPress software with known vulnerabilities. WordPress patching is one of the most basic security hygiene requirements — and one that <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates with its 14-day patching window. Our <a href="/vulnerability-scanning">vulnerability scanning</a> identifies outdated CMS installations.
No Security Testing
The ICO found that Carphone Warehouse had not conducted adequate security testing. A single <a href="/penetration-testing/web-application">web application penetration test</a> would have identified the outdated software, the missing WAF, and the exploitable vulnerabilities before the attackers found them.
No Web Application Firewall
The absence of a WAF meant that common web attacks — SQL injection, cross-site scripting, file inclusion — had no automated defence layer. While WAFs are not a substitute for secure coding and patching, they provide defence in depth against common attack techniques.
£400,000 Fine — The ICO's Largest
The £400,000 fine was the ICO's largest at the time — a signal that the regulator was prepared to impose significant penalties for basic security failures. Under GDPR (coming in 2018), the same breach could have resulted in a fine of up to 4% of global turnover. <a href="/blog/sector-under-the-microscope-retail">Our retail sector analysis</a> examines the regulatory landscape for UK retailers.
The UK Pattern

Carphone Warehouse, TalkTalk, and the UK's recurring nightmare.

The Carphone Warehouse breach came just two months before the TalkTalk breach would dominate UK headlines — creating a one-two punch that put UK telecoms and retail security under intense public and regulatory scrutiny. Both breaches shared the same root causes: outdated software, inadequate testing, and basic security controls that had not been implemented. Both resulted in significant ICO fines. And both were entirely preventable.

For UK retailers and telecoms businesses, the message from the ICO was unambiguous: basic security failures will be punished. Cyber Essentials certification provides the framework and evidence of baseline security. Our web application testing identifies the vulnerabilities the ICO found at Carphone Warehouse. Vulnerability scanning keeps your CMS platforms patched. SOC in a Box monitors for exploitation attempts. And UK Cyber Defence provides incident response when a breach is detected.

UK Retail Security

The ICO fined Carphone Warehouse £400,000 for basic failures. Are you next?

Every failing the ICO found would have been caught by our <a href="/penetration-testing/web-application">web application testing</a>. <a href="/cyber-essentials">Cyber Essentials</a> prevents the basics. <a href="/vulnerability-scanning">Vulnerability scanning</a> keeps your platforms patched.

Commission a Web App Test Next: TalkTalk
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 October 2015

Anatomy of a Breach: TalkTalk — The SQL Injection Heard Around the UK

Breach #082. On 21 October 2015, TalkTalk disclosed a 'significant and sustained' cyberattack that compromised the personal data of approximately 157,000 customers — including 15,656 bank account numbers and sort codes. The attack exploited a SQL injection vulnerability in a legacy web application that TalkTalk had acquired through its purchase of Tiscali. CEO Dido Harding appeared on live television unable to confirm whether the data was encrypted. A 15-year-old and a 16-year-old were among those arrested. The ICO fined TalkTalk £400,000 — and the breach became the UK's defining cybersecurity incident of 2015.

data-breach talktalk
14 min read
Anatomy of a Breach 30 September 2012

Anatomy of a Breach: Greater Manchester Police — 1,075 People Linked to Serious Crime on a Lost USB Stick

Breach #045. In 2012, Greater Manchester Police was fined £150,000 by the ICO after an officer lost an unencrypted USB memory stick containing sensitive data on 1,075 people with links to serious crime — including information about victims, witnesses, and suspects. The stick was lost during a burglary at the officer's home. The data was never recovered. Another UK police force, another unencrypted portable device, another preventable data loss.

data-breach gmp
11 min read
Anatomy of a Breach 31 May 2025

Anatomy of a Breach: UK Retail Under Siege — Co-op Group and Harrods Targeted in the Same Campaign

Breach #197. In May 2025, the coordinated assault on UK retail continued. The Co-op Group — one of the UK's largest retailers with over 2,300 stores — disclosed a significant cyber attack that affected its retail operations and back-office systems. Harrods — the iconic luxury department store — confirmed it had been targeted in an attempted attack that was intercepted. Coming on the heels of the devastating Marks & Spencer breach, the attacks on Co-op and Harrods confirmed that UK retail was under sustained, coordinated targeting — prompting the NCSC to issue specific guidance to UK retailers on defending against the campaign.

co-op harrods
13 min read
All Posts Get in Touch