Small and medium sized businesses are being warned to take note as a company which suffered a cyber attack is fined £60,000 by the Information Commissioner’s Office (ICO).
An investigation by the ICO found Berkshire-based Boomerang Video Ltd failed to take basic steps to stop its website being attacked.
Sally Anne Poole, ICO enforcement manager, said:
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.
“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
“Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”
The video game rental firm’s website was subject to a cyber attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as SQL injection to access the data.
The ICO’s investigation found:
- Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
- The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
- Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
- Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary
Ms Poole said:
“For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.
“I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”
The ICO has a range of guidance available to help businesses ahead of the implementation of GDPR on 25 May 2018. This includes website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations.
SOURCE: Information Commissioner’s Office
Note that DataBreaches.net had covered this breach (search Boomerang Rentals), and had noted its frustrating and customer-irritating incident response.
Of note, I think this monetary penalty by the ICO is fairly consistent with what the Federal Trade Commission here has tried to do, highlighting basic security steps and failures to maintain “reasonable” security. One difference, however, is that the FTC has no authority to impose any monetary penalty like this.