A small UK company that suffered a cyber attack has been fined £60,000 by the Information Commissioner’s Office (ICO).
An investigation by the ICO found Berkshire-based Boomerang Video failed to take basic steps to stop its website being attacked, a hacking incident that led to the exposure of the personal details of 26,000 back in 2014. An unidentified attacker used SQL injection (a common hacking technique) to access 26,331 customer details.
The ICO hopes the enforcement action (pdf) will prompt other small businesses to review their security policies.
Sally Anne Poole, ICO enforcement manager, said: "Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.
"If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher."
An ICO investigation found that Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors. In addition, the firm failed to ensure the password for the account on the Wordpress section of its website was sufficiently complex.
Boomerang Video had some information stored unencrypted and even encrypted could be accessed because it failed to keep the decryption key secure. To top everything else, encrypted cardholder details and CVV numbers were held on the web server for longer than necessary. “For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening," the ICO's Poole concluded.
The ICO has published guidance to help businesses ahead of the implementation of GDPR on 25 May 2018. These guides include an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations. ®