As the fall-out from the latest ransomware attack continues, small and medium sized businesses have been warned to ensure they carry out regular checks on the security of their online servers after issuing a fine to a video rental firm which exposed sensitive data on over 26,000 customer following a cyber attack.
The Information Commissioner’s Office has fined Berkshire-based Boomerang Video £60,000 following an investigation which found the firm had failed to take basic steps to stop its website being attacked.
The video game rental firm’s website was subject to the attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as SQL injection to access the data.
The ICO’s investigation found that Boomerang Video had failed to carry out regular penetration testing on its website that should have detected errors, while it also failed to ensure the password for the account on the WordPress section of its website was sufficiently complex.
Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure. Meanwhile encrypted cardholder details and CVV numbers were held on the web server for longer than necessary.
ICO enforcement manager Sally Anne Poole said: “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.
“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
She added: “Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.
“For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.
“I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”
Related stories
ICO’s 2016 fines would rocket to £69m under GDPR
Half of all firms still not compliant with 1998 data laws
Due diligence failings spark £50,000 fine for TPS abuse