Carphone Warehouse in data protection breach

Carphone Warehouse has been warned it could face prosecution for exposing the personal details of thousands of customers online and, in some cases, inadvertently setting debt collectors on them.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

The Information Commissioner's Office (ICO) said the Carphone Warehouse, and its sister company TalkTalk, could face the possibility of an unlimited fine if their data protection and compliance systems are not brought up to scratch within 35 days of being notified last week.

An ICO spokeswoman said: "If they fail to comply with the enforcement notice it can lead to prosecution where they could face a fine of up to £5,000 in the magistrates court or an unlimited fine in the crown court."

She said the ICO had received the first complaints from customers about a year ago and is still receiving complaints relating to the issues.

She added: "It is obviously a serious breach. We had hundreds of complaints, which is very high compared with other organisations of a similar size."

Mobile phone, broadband, landline and other customers with both companies found themselves unable to take out loans or mortgages because of incorrect credit records, or were visited by bailiffs to recover other debts that didn't belong to them.

Up to 4,000 online customers were also linked to the wrong accounts, receiving other people's emails and were able to access other customers' personal information over the web, including names, addresses and phone numbers.

The companies were found to be in "serious" breach of the Data Protection Act by the ICO following a catalogue of errors that included passing inaccurate names, addresses and debts to credit reference and collection agencies, opening customer accounts in the wrong name and amending details on incorrect accounts.

The two companies also failed to respond to individuals' requests for the information it held on them, despite cashing cheques to pay for the information, according to the ICO.

The enforcement notice was served on the companies by the ICO a week ago, following the issuing of a preliminary enforcement notice in October last year notifying them of the breach of four principles of the Data Protection Act.

A spokesman for the Carphone Warehouse said it had dealt with the problems as soon as it was contacted by the ICO and that the mistakes related to a small number of its customers.

In a statement Mick Gorrill, assistant commissioner at the ICO, said: "Carphone Warehouse and TalkTalk's use of inaccurate and incorrect personal data has caused real damage and distress to customers.

"We have now ordered them to take the necessary steps to ensure customers' personal information is sufficiently protected."

A spokesman for Carphone Warehouse apologised for the problems and said: "The issues were primarily caused by the significant interest in TalkTalk's introduction of free broadband, over 18 months ago.

"We take these matters very seriously indeed, and as soon as these concerns were brought to our attention we took immediate steps to resolve them and to ensure we are fully compliant with the Data Protection Act."