Carphone Warehouse, the mobile phone retailer that spawned TalkTalk, has been slapped with a maximum £400,000 fine for the 2015 hack that exposed the personal data of more than three million customers and 1,000 employees.
The fine, by the Information Commissioner's Office (ICO), is the maximum that can be levied - until the General Data Protection Regulation (GDPR) comes into force in May.
The company was accused by the ICO of failing to adequately secure its systems, enabling intruders to easily access the data.
While Carphone Warehouse at the time claimed that it takes "the security of customer data extremely seriously", the high-profile data breach saw hackers make off with highly personal customer data, including names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, payment card details.
The records for some Carphone Warehouse employees, including name, phone numbers, postcode, and car registration details were also accessed.
The ICO has been probing the incident for more than two years, and this week concluded that Carphone Warehouse had "failed to take adequate steps to protect the personal information".
Intruders were able to access the company's systems via out-of-date WordPress software using valid log-in details, which the ICO said "exposed" inadequacies in the organisation's technical security measures".
For example, elements of the software in use on the systems affected were out of date and the company failed to carry out routine security testing.
There were also inadequate measures in place to identify and purge historic data, which the ICO claims to be "a serious contravention" of Principle 7 of the Data Protection Act 1998.
Information Commissioner Elizabeth Denham said: "A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
"Carphone Warehouse should be at the top of its game when it comes to cyber-security and it is concerning that the systemic failures we found related to rudimentary, commonplace measures."
However, Denham also acknowledges that while Carphone Warehouse's lax security measures were to blame for the data breach, no evidence has emerged that the data loss has resulted in identity theft or fraud.
Carphone Warehouse, which tells us that it'll only have to hand over £320,000 due to early payment, said in a statement sent to V3: "We accept today's decision by the ICO and have co-operated fully throughout its investigation into the illegal cyberattack on a specific system within one of Carphone Warehouse's UK divisions in 2015.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment