Pre-GDPR warning as UK SME fined £60,000 for cyber security failings
As cybersecurity hacks, breaches and failings go, high profile cases like Wonga, Debenhams and TalkTalk – and with the scourges of ransomware outbreaks Wannacry and Petya, a data breach at a small UK-based video company might be seen as trivial by comparison.
But that’s not the way the Information Commissioner’s Office (ICO) saw it when handing out a fine of £60,000 for what it described as “basic” cyber security failings by Boomerang Video.
IT sector events, blogs, mags and social media have been bursting with warnings about GDPR, ransomware, cyber crime, risks, vulnerabilities and technologies to prevent, fix or resolve them.
Yet it seems the message still hasn’t sunk in.
At least not with everyone.
Let’s be clear about what the message actually is.
If your organisation holds data on customers, and you fail to take proper precautions to protect that data, and you get hacked, and your customer data gets stolen – you are going to get hit with a fine. Probably.
It raises the question of ‘why’ company directors, IT teams and other professionals who have a basic duty to safeguard customer data are not listening.
One possible reason is the ‘too many experts’ syndrome.
Data security experts have been accused of prowling around this topic for years, just waiting to pounce and point the finger. This, say some, leads to ‘warning fatigue’. You hear it so many times that eventually it just starts to bounce off you and you become hardened to the messages.
Time to think again.
This £60,000 fine comes on the back of other incidents of customer data loss, where the companies responsible were given a warning by the ICO for not properly informing customers in the aftermath.
It seems that this may be one of the first examples of a fine being levied specifically for cyber security failings i.e. for failing to take the proper steps to prevent sensitive personal data from being hacked – marking a major step change in the security legislation landscape.
Speaking about the ruling, Sally Anne Poole, Enforcement Manager at the ICO said:
“Boomerang failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack.”
Apparently, the ICO found that there was a coding error on the login page of Boomerang’s website which was exploited by a SQL injection.
Using this as a way in, the hacker was able to obtain username and password details of staff to an admin area of the website and from there, gained access to the customer data.
Its statement (available on its website), the ICO explains that: “The attacker was able to query the customer database and download text files containing 26,331 cardholder details (including name, address, primary account number, expiry date and security code)”.
Further extracts from the ICO statement show that the company:
- Failed to carry out regular penetration testing on its website that should have detected errors
- Failed to take appropriate technical measures against the unauthorised or unlawful processing of personal data
- Failed to ensure that the password for the [website] account was sufficiently complex
- Failed to keep the decryption key secure and prevent it being accessed by the attacker
Describing the failures in her statement, Sally Anne Poole continued:
“Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”
“Regardless of your size, if you are a business that handles personal information then failure to take responsibility will land you with a cyber attack fine. And with GDPR coming into force next year, a cyber attack fine could become a lot higher.”
What this means
Businesses need to learn from this example and ensure that their data protection measures are robust enough to comply with ICO guidelines.
Data security is no longer a tick in the box exercise and needs to be taken very seriously.
With GDPR looming on the near horizon, it is no longer good enough to have half measures in place to protect critical data.
There’s little doubt that much has been made of Boomerang’s failings as an example to other small firms that perhaps felt that data security requirements or GDPR does not apply to them.
In fact Sally Anne Poole of the ICO summed this up herself, stating:
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you”.
The ICO offers a range of guidance resources to help businesses ahead of the GDPR coming into force on 25 May 2018 on its website.
Or for a quick overview of the “what, when and how” of GDPR compliance, read this short GDPR guide for IT Managers posted on our blog last year.
If you want an assessment of your readiness for GDPR – or any other advice about your current data security set up, simply contact Foursys.
Speak to a Foursys security expert now to arrange a review of your network security infrastructure and systems. Call now on 01284 788900 to find a security solution that’s right for your organisation.