SME Hit Hard: Devastating £60,000 Fine Confirms the Importance of Cyber Security Awareness

The Information Commissioner’s Office (ICO) delivered a wake-up call of some magnitude recently when it announced a £60,000 fine for Berkshire-based SME, Boomerang Video (an online store which rents video games out).

The company’s website was found to have insufficient cyber-security measures in place, which resulted in the personal data of over 26,000 customers being accessed (e.g. credit card numbers, phone numbers, and home addresses) via a type of cyber-attack known as ‘SQL injection’.

SQL injection is only possible where there is already a security vulnerability (e.g. unencrypted data or insecure decryption keys) and works by allowing cyber-attackers to copy identities, change or destroy existing data, and completely take over the administration of the database server (amongst many other malicious activities). In other words, it is because the company failed to take adequate steps to protect their customers’ personal data that their fine was so severe.

Sally Anne Poole, ICO enforcement manager, said:

“For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.

I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”

The ICO is the independent regulatory office responsible for upholding information rights in the public interest. The office deals with the Data Protection Act (1998), the Freedom of Information Act (2000), and the Privacy and Electronic Communications Regulations (2003). By May 18th 2018 the office will also be responsible for enforcing the EU-wide General Data Protection Regulation (GDPR), which directs that fines of between 2%-4% of annual turnover are issued for breaches of data protection guidelines. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

The ICO’s investigation into Boomerang Video found the following security breaches:

Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary

Is your organisations’ confidential business data secure? Ensure your employees are aware of how to prevent a data breach with our Data Protection and Preventing a Data Breach eLearning courses. For added online security, we can also provide an off-the-shelf cyber security bundle of courses, which includes full and short-course training to ensure your employees, and your organisation, are safe and secure.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”