British firm fined £60,000 for failing to secure its website
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
June 29, 2017
A small company in Britain that suffered a cyber attack has been fined £60,000 by the U.K.'s Information Commissioner’s Office (ICO).
A full-fledged investigation performed recently by the ICO found that U.K.-based Boomerang Video failed to take some very basic steps to stop its website from being attacked, a hacking incident that led to the exposure of the personal details of over 26,000 victims in 2014.
An unidentified attacker used a common hacking technique called SQL injection to access 26,331 user details.
The ICO hopes the enforcement action will prompt other small businesses to carefully review their security policies.
Sally Anne Poole, ICO enforcement manager asserted: "Regardless of your size, if you are a business that handles personal information, then data protection laws directly apply to you.
"If a company is subject to a cyber attack and we find that they haven’t taken the necessary steps to protect people’s personal data in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force in 2018, those fines could be a lot higher."
An ICO investigation revealed that Boomerang Video failed to carry out regular internet security penetration testing on its website that should have detected any errors.
Additionally, the company failed to ensure that the password for the account on the Wordpress section of its website was sufficiently complex.
Boomerang Video had some information stored that was unencrypted and even if it would have been encrypted it could still be accessed since it failed to keep the decryption key secure.
To top everything else, encrypted cardholder details and CVV numbers were held on the web server for longer than necessary. “For no good reason, Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening," the ICO investigation concluded.
Furthermore, the ICO has published some guidance to better assist businesses ahead of the implementation of GDPR on May 25, 2018. Those guides include an updated toolkit for SMEs that includes a checklist to help organizations in their GDPR preparations.
Source: Britain's Information Commissioner Office (ICO).
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.