British SME gets £60,000 cyber attack fine for “basic” failings
3 min read
27 June 2017
If your company has failed to implement basic cyber security, and your website takes a hit, then the Information Commissioner’s Office can hand you a cyber attack fine.
Cyber security has been a prevalent subject of late. But while experts have warned that SMEs are ill-prepared, many may not have been listening – until one SME was handed a cyber attack fine.
The company in question, Boomerang Video, allows customers to rent video games online, payable through a web application. It was the victim of cyber crime in 2014, which saw the details of 26,331 customers accessed.
On the surface, the attack didn’t differ too much from those on larger companies throughout the year. Wonga’s data breach affected almost 250,000 customers, some 26,000 customers got a raw deal after a Debenhams Flowers hack and the ABTA, an association for travel operators, saw the personal details of 43,000 people unveiled.
While all have been admonished in some way, mostly for not letting customers know about the breach straight away, Boomerang was handed a cyber attack fine of £60,000 – not something you expect to be given after someone hacks your website. But there’s a reason why.
Now, more than ever, with GDPR on the horizon, companies handling personal data need to take appropriate steps in cyber security.
According to Sally Poole, enforcement manager at the Information Commissioner’s Office (ICO): “Boomerang failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack.”
Indeed, the ICO found that Boomerang’s website had been created by a third party, with the company unaware there was a coding error on the login page. This error was exploited by a SQL injection, which the hacker essentially used to gain access to staff usernames and passwords for the WordPress section of the site.
The ICO exclaimed: “One password was a simple dictionary word based on the company’s name. The attacker then uploaded a malicious web shell onto the server to gain access to personal data such as names, addresses, primary account numbers, expiry dates and security codes – and while some were encrypted, the attacker used a decryption key with ease due to information stored in configuration files on the server.
“Industry guidelines prohibit the storage of the security code after payment authorisation. Boomerang failed to carry out regular penetration testing on its website, which should have detected the error. It also didn’t ensure the password for the WordPress account was sufficiently complex to be resistant to a brute-force attack.”
This, the ICO hopes, will serve as an example and remind bosses that no one is exempt from the law.
Poole explained: “Regardless of your size, if you are a business that handles personal information then failure to take responsibility will land you with a cyber attack fine. And with GDPR coming into force next year, a cyber attack fine could become a lot higher.”