Small and medium sized enterprises have been warned by the Information Commissioners Office (ICO) to take note of the fine imposed by the ICO on Boomerang Video Ltd following a Cyber Attack in 2014 when the personal details of 26,000 customers were accessed via an SQL Injection attack, a common tool of attackers.
The fine of £60,000 was imposed by the ICO as a result of their findings that;
- Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
- The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
- Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
- Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary
ICO Enforcement Manager, Sally Anne Poole warned
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.”
“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
“Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”
The ICO is warning businesses that they need to prepare for the implementation of GDPR on 25 May 2018 and has produced both a dedicated website and an on-line toolkit to assist with preparation and implementation.