SMEs are being urged to take note after a company hit by a cyber attack was slapped with a £60,000 fine by the Information Commissioner’s Office.
An investigation found Berkshire-based Boomerang Video Ltd failed to take basic steps to stop its website being attacked.
Sally Anne Poole, ICO enforcement manager, said: “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.
“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
She added: “Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”
The video game rental firm’s website was subject to a cyber attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as SQL injection to access the data.
The ICO’s investigation found Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors.
The firm also failed to ensure the password for the account on the WordPress section of its website was sufficiently complex.
It also had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure.
Encrypted cardholder details and CVV numbers were also held on the web server for longer than necessary.
Ms Poole said: “For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.
“I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”
The ICO has a range of guidance available to help businesses ahead of the implementation of GDPR on 25 May 2018.
This includes website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations.