Racing Post, Office bare all for ICO

The Information Commissioner’s Office has forced Racing Post and shoe retailer Office to lay bare their data security strategies for all to see after narrowly escaping fines for compromising the personal details of a combined 1.7 million customers.
The move follows Information Commissioner Christopher Graham’s pledge not to dish out fines willy nilly; he recently declared: “Let me reserve the big stick in the cupboard for those that need a good spanking.”
Office, which put 1 million records at risk in May last year, was forced to admit it had no formal policy on data retention and had not trained staff about data protection.
Perhaps unsurprisingly, hackers were able to purloin a legacy, unencrypted customer database which included names, addresses, phone numbers, email addresses and website passwords.
The firm has now appointed security firm Nettitude and briefed its site development agency, Envoy Digital, to build an internal penetration testing platform.
It has also introduced a data policy, however it still retains customer information for five years – much to the displeasure of the ICO, which suggests this policy should be reconsidered.
Racing Post, which lost 700,000 customer details, was given the option to sign an agreement with the ICO to publish and monitor its security measures or get whacked with a fine.
The company said it had introduced new measures and also updated its penetration and vulnerability testing policy, almost two years after the breach. The site will now be tested regularly. Prior to the hack in 2013, the last test had taken place in 2007. In addition, the firm now stores passwords in encrypted forms on secure servers.