The Information Commissioner's Office (ICO) delivered a wake-up call of some magnitude recently when it announced a £60,000 fine for Berkshire-based SME, Boomerang Video (an online store which rents video games out).
The company's website was found to have insufficient cyber-security measures in place, which resulted in the personal data of over 26,000 customers being accessed (e.g. credit card numbers, phone numbers, and home addresses) via a type of cyber-attack known as 'SQL injection'.
SQL injection is only possible where there is already a security vulnerability (e.g. unencrypted data or insecure decryption keys) and works by allowing cyber-attackers to copy identities, change or destroy existing data, and completely take over the administration of the database server (amongst many other malicious activities). In other words, it is because the company failed to take adequate steps to protect their customers' personal data that their fine was so severe.
Sally Anne Poole, ICO enforcement manager, said:
"For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.
I hope businesses learn from today's fine and check that they are doing all they can to look after the customer information in their care."
The ICO is the independent regulatory office responsible for upholding information rights in the public interest. The office deals with the Data Protection Act (1998), the Freedom of Information Act (2000), and the Privacy and Electronic Communications Regulations (2003). By May 18th 2018 the office will also be responsible for enforcing the new EU-wide General Data Protection Regulation (GDPR), which directs that fines of between 2%-4% of annual turnover are issued for breaches of data protection guidelines. The government has confirmed that the UK's decision to leave the EU will not affect the commencement of the GDPR.
The ICO's investigation into Boomerang Video found the following security breaches:
- Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
- The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
- Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
- Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary
Is your organisations' confidential business data secure? Ensure your employees are aware of how to prevent a data breach with our Data Protection and Preventing a Data Breach eLearning courses. For added online security, we can also provide an off-the-shelf cyber security bundle of courses, which includes full and short-course training to ensure your employees, and your organisation, are safe and secure.