The attack exposed the personal data of more than three million customers.
The Information Commissioner's Office (ICO) said the company's failure to implement sufficiently robust safeguards allowed malicious parties to potentially access names, addresses, phone numbers, dates of birth, marital statuses and, in some cases, historical payment card information.
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,” said information commissioner Elizabeth Denham.
Having said that, there is no evidence that there had been instances of identity theft or fraud.
The ICO discovered 11 separate issues with the company’s data protection and security practices, any of which would have breached the Data Protection Act on their own. These included using the same root password being used on every one of the company's servers; no anti-virus software on the servers that held the data; and the storage of full credit card details when there was no requirement to do so.