ICO Fines E-Commerce Firm After SQLi Flaw

Written by

UK privacy watchdog the Information Commissioner’s Office (ICO) has handed down a £55,000 fine to an e-commerce firm after it failed to adequately secure its website.

Construction Materials Online (CMO) made the mistake of overlooking a coding issue which exposed its site to an SQL injection attack, an extremely common but easily rectified issue.

On May 6 2014, an attacker exploited the vulnerability to access unencrypted card details related to 669 customers, including names, addresses, account numbers and security codes.

Failing to have the appropriate technical measures in place to guard against such an attack is a breach of the Data Protection Act, resulting in the fine.

The ICO claimed CMO should have carried out regular pen testing in its site; a process which would have flagged the issue.

The firm also failed to ensure its system passwords were long and complex enough to prevent a brute force attack.

“When people handed over their personal financial information, they rightly expected it to be safe. Construction Materials Online did not keep it safe and, as a result, exposed its customers to potential fraud. Its failure to make cybersecurity a top priority has proved a costly mistake,” argued ICO head of enforcement, Steve Eckersley.

“It’s not just large, household-name companies that have to consider cybersecurity. Cybersecurity must be a top priority for businesses regardless of size. This fine must serve as a warning to other small and medium-sized firms that the security of their customers’ personal information must come first.”

The incident is not dissimilar to that which led to the infamous 2015 breach of TalkTalk.

The big-name ISP was fined £400,000 by the ICO last year after succumbing to an SQL injection attack, leading to a breach of around 157,000 customer records.

SQLi bugs are relatively easy to spot and fix, but as these cases have shown, can result in a serious financial hit and damage to the brand.  

TalkTalk’s losses are said to have totaled £60m, including clean-up costs, fines and customer attrition.

What’s hot on Infosecurity Magazine?