[BreachExchange] Pwned UK SME fined £60K for leaving itself vulnerable to hack attack

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jun 27 19:21:37 EDT 2017 

https://www.theregister.co.uk/2017/06/27/boomerang_video_hack_ico_fine/

A small UK company that suffered a cyber attack has been fined £60,000 by
the Information Commissioner’s Office (ICO).

An investigation by the ICO found Berkshire-based Boomerang Video failed to
take basic steps to stop its website being attacked, a hacking incident
that led to the exposure of the personal details of 26,000 back in 2014. An
unidentified attacker used SQL injection (a common hacking technique) to
access 26,331 customer details.

The ICO hopes the enforcement action (https://ico.org.uk/media/
action-weve-taken/mpns/2014300/mpn-boomerang-video-ltd.pdf) will prompt
other small businesses to review their security policies.

Sally Anne Poole, ICO enforcement manager, said: "Regardless of your size,
if you are a business that handles personal information then data
protection laws apply to you.

"If a company is subject to a cyber attack and we find they haven’t taken
steps to protect people’s personal information in line with the law, they
could face a fine from the ICO. And under the new General Data Protection
Legislation (GDPR) coming into force next year, those fines could be a lot
higher."

An ICO investigation found that Boomerang Video failed to carry out regular
penetration testing on its website that should have detected errors. In
addition, the firm failed to ensure the password for the account on the
Wordpress section of its website was sufficiently complex.

Boomerang Video had some information stored unencrypted and even encrypted
could be accessed because it failed to keep the decryption key secure. To
top everything else, encrypted cardholder details and CVV numbers were held
on the web server for longer than necessary. “For no good reason Boomerang
Video appears to have overlooked the need to ensure it had robust measures
in place to prevent this from happening," the ICO's Poole concluded.

The ICO has published guidance to help businesses ahead of the
implementation of GDPR on 25 May 2018. These guides include an updated
toolkit for SMEs that includes a checklist to help organisations in their
GDPR preparations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170627/cfcf5fca/attachment.html>

More information about the BreachExchange mailing list