Privacy watchdog the Information Commissioner’s Office (ICO) has sent a warning shot across the bows of the UK’s SMEs, fining one company £60,000 after a cyber-attack took advantage of poorly protected web infrastructure.
Video game rental business Boomerang Video failed to follow best practice security steps and subsequently suffered an attack which exposed the personal details of over 26,000 customers, the ICO revealed.
It is said to have failed to carry out regular pen testing which would have uncovered the SQL injection flaw the attacker exploited.
Boomerang also failed to ensure its password for the WordPress section of its site was complex enough to foil attackers.
If that wasn’t enough, the ICO found some information stored unencrypted, and the data that was protected could also be accessed by virtue of the decryption key being accessible.
Finally, encrypted cardholder details and CVV numbers were stored on the firm’s web server for longer than was necessary, running counter to best practices around data minimization.
ICO enforcement manager, Sally Anne Poole, argued that businesses of all sizes that handle personal info have to comply with data protection laws.
“Boomerang Video failed to take basic steps to protect its customers’ information from cyber-attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers,” she added.
“For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening. I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”
Poole also warned that fines could be a lot higher under the EU General Data Protection Regulation (GDPR), which is set to come into force on May 25 2018.