Small and medium sized businesses are being warned to take note as a company which suffered a cyber-attack is fined £60,000 by the Information Commissioners Office (ICO).
The investigation by the ICO found the Berkshire based company, Boomerang Video Ltd, failed basic steps to stop its website being hacked.
Sally Anne Poole, ICO enforcement manager stated “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you. If a company is subject to a cyber-attack and we find they have not taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. Under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
She continued to add “Boomerang Video failed to take basic steps to protect its customer’s information from cyber attackers. Had it done so, it could have been prevented and protected the personal details of more than 26,000 of its customers.”
What to look out for
The cyber attacker used a common technique known as SQL injection to access data. The video game rental firms website came under attack in 2014 and 26,331 customer details were exposed.
The ICO’s investigation found that the company had failed to carry out regular penetration testing on its website that would have detected any errors. They also failed to ensure that the password for the account on the WordPress section of its website was sufficiently complex and the encrypted cardholder details and CVV numbers were held on the web server for longer than necessary, allowing access to the attacker.
Ms. Poole also stated that “for no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.” From this, ICO are hoping that businesses learn from the example being made of Boomerang Video and check that they’re doing everything they can to manage business online security.
They have a range of guidance available including information about data protection reform legislation and an updated toolkit for SME’s that includes a checklist to help organisations in their GDPR preparations.