freshidea - stock.adobe.com

Victims’ legal action over 2015 Carphone Warehouse breach moves forward

A class action against Currys Retail over the 2015 data breach of Carphone Warehouse customers has been granted permission to move forward in the courts

Eight years on from a serious breach that saw data on 2.4 million people held by Currys Retail-owned Carphone Warehouse compromised, members of the public fighting for redress have learned their case will be allowed to progress following a ruling at Manchester Crown Court.

Almost 2,000 victims have now signed up to a case against the company being brought by Manchester-based Barings Law.

In the most recent hearing, held at the end of October 2023, Barings presented an application to amend the particulars of its clients’ claims, which was granted by Judge Bird KC, although Currys had argued against the procedure.

“This is a good indication that the court is willing to hear us out on behalf of the countless people impacted by the case,” said Barings head of data breach Adnan Malik.

“People’s private information is of huge importance. It’s heartening to see the court taking a stand in favour of the victims, showing a commitment to upholding the principles of justice.

“The overwhelming response with nearly 2,000 sign-ups underscores the magnitude of this data breach’s impact,” added Malik. “It is clear that people are seeking justice and resolution, and we are committed to representing their interests effectively.”

The consumer tech retailer’s systems were attacked on 5 August 2015, resulting in the compromise of names, addresses, dates of birth and bank details of 2.4 million customers, and the encrypted credit card details of 900,000 more. Data on approximately 1,000 employees was also impacted.

Read more about recent data breaches

  • The Marina Bay Sands resort in Singapore uncovered a data breach of its guest loyalty programme last month.
  • The developing data breach at Greater Manchester Police follows a cyber attack on the systems of a key supplier of ID services to the force.
  • An emergent threat actor has leaked details of multiple sensitive Airbus suppliers after claiming to have accessed the firm’s systems having hacked customer Turkish Airlines.

Almost three years later, in 2018, the organisation was fined £400,000 by the Information Commissioner’s Office (ICO) after it identified serious failings in its approach to data security and determined it had failed to take adequate steps to safeguard its customers’ information.

During the investigation, it emerged the intruders were able to use valid login credentials to access Carphone Warehouse’s systems via an out-of-date and unpatched version of the WordPress web content management platform.

The ICO also found other important elements of Carphone Warehouse’s software and systems to be out of date, and accused the company of failing to carry out routine security resting, and having inadequate measures in place to identify and purge historic data.

Distressed clients

If successful, Barings’ case – which has been deferred several times, and was paused altogether for a period during the Covid-19 pandemic – could be worth millions of pounds in compensation for those impacted.

“Our clients impacted by this have felt distressed by the breach of their personal information and they want to see justice for what happened,” said Malik. “We’ve stood firm from day one despite the delays, and at Barings Law, our primary goal is to secure justice for our clients and to establish ourselves as a leading authority in handling data breach cases.

“The recent ruling reflects the growing recognition of the serious consequences that data breaches have on individuals and the need for accountability.”

A Currys spokesperson said: “This was one of a number of procedural hearings which were required to deal with numerous defects in the particulars of the claim presented by Barings Law. The claim, which relates to a cyber attack as long ago as 2015, continues to be defended by the Company.”

Read more on Data breach incident management and recovery