Website security fines from ICO aren’t just for the Big Boys …

website security breach fines are for all organisations

Anyone who is labouring under this mis-apprehension that data protection fines for website security breaches are only for big companies should think again! It emerged on 27th June 2017 that the Information Commissioner’s Office has issued a fine of £60,000 to a Berkshire based company,Boomerang Video Ltd , for failing to take basic steps to prevent its website from being hacked.

Over 26,000 customer records were exposed to the hackers, when they struck in 2014. The fine should send a clear message to all businesses that hold information about their customers. The thing is, in 12-months’ time, the fine could be significantly higher, as GDPR will then be in force!

An investigation by the ICO found Berkshire-based Boomerang Video Ltd failed to take basic website security steps to stop its website being attacked.

Sally Anne Poole, ICO enforcement manager, said:

“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.

“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”

She added:

“Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”

The video game rental firm’s website was subject to a cyber attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as SQL injection to access the data.

The ICO’s investigation found:

  • Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
  • The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
  • Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
  • Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary

Ms Poole said:

“For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.

“I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”

Read the full article here.

If you are concerned about GDPR and website security talk to Team Discovery.  We built robust websites that are kept up to date with all latest plugins and patches.

/by