Carphone Warehouse has been hit with a fine of £400,000 by the Information Commissioner’s Office (ICO) as a result of one of its computer systems being compromised back in 2015.

The data breach left the personal data of more than 3m customers vulnerable – with compromised data including names, addresses, phone numbers, dates of birth, and marital status. And, for over 18,000 customers, historical payment card details were also compromised.

1,000 employees also suffered the breach with their names, phones numbers, postcodes, and car registrations accessed.

“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,” said information commissioner Elizabeth Denham.

“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”

The ICO found Carphone Warehouse to have failed in its steps to ensure the protection of personal information. These failings made it possible for intruders to, using valid login credentials, access the system via an out-of-date WordPress software.

The ICO considered this a serious contravention of Principle 7 of the Data Protection Act 1998, despite there yet to be any evidence that the data had been used in identity theft or fraud.

“A fine might be significant for Carphone Warehouse, but it doesn’t magically provide remediation for those affected by the breach,” said Tim Erlin, VP at Tripwire. “As we’re facing the upcoming deadline for GDPR compliance, this fine is a good reminder for organisations that there is real money on the line for a lack of adequate controls in the face of a breach.”

Andy Norton, director of threat intelligence at Lastline, added: “With a revenue of just over £10bn, Carphone Warehouse could have been fined up to £400m if the ICO had imposed the maximum fine of 4 per cent of revenue under GDPR guidance.

“Clearly, the ICO is signalling that its own internal view of data breach fines is not in line with European GDPR thinking. After 25 May, the imposition of mandatory heavy fines will go a long way to ensure that our personal data is protected.”