A video game rental firm has been fined £60,000 by the data protection regulator, the Information Commissioner’s Office (ICO). According to the ICO, Berkshire-based Boomerang Video Ltd failed to take basic steps to stop its website being attacked. For the penalty notice in full visit the ICO website.
Sally Anne Poole, ICO enforcement manager, said: “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you. If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.
“Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”
The firm’s website was subject to a cyber attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as SQL injection to access the data.
The ICO reported that it found Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors. The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex; as one word was a simple dictionary word based on the company’s name. And Boomerang had some information stored unencrypted; the data that was encrypted could be accessed because the firm failed to keep the decryption key secure. Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary.
Ms Poole said: “For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening. I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”
Ilia Kolochenko, CEO of web security firm, High-Tech Bridge, said: “This is a typical example of negligence that causes significant damage to thousands of people. Unfortunately, such cases are quite frequent, and are also attributable to large companies and governmental institutions where one breach exposes sensitive data of millions of innocent people. The amount of fine is actually quite modest, as it imposes just 2.30 GBP per breached record. While people whose data is compromised might have lost tens of thousands in direct losses and suffer irreparable moral damage. Companies, including SMEs, need to finally recognise that cybersecurity is a necessary and unavoidable cost to do business today. It’s comparable to paying VAT – if you don’t do it, you will face problems.”
The ICO adds that it has a range of guidance available to help businesses ahead of the GDPR becoming law in May 2018. This includes website pages on the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations. However the ICO at a recent conference in London on GDPR, featured in the June 2017 print issue of Professional Security magazine (‘ICO cannot give comfort before time‘), had to admit that it could not provide details of what to do to comply with GDPR, until nearer the deadline, despite the need for managers to know so as to put plans in place.