Boomerang Video has been fined £60,000 by the Information Commissioner’s Office (ICO) following the hacking of its website in December 2014.
The ICO’s investigation found that the Berkshire-based video game company failed to carry out regular penetration tests, which would have detected errors that were ultimately exploited by a hacker.
The hacker used a SQL injection attack and malware to access the site’s database, getting hold of the names, addresses and payment card information (account numbers, expiry dates and security codes) of 26,331 customers.
Boomerang reportedly also failed to encrypt some account numbers, kept personal data on the server for longer than necessary and used a weak password for the WordPress section of its site.
A warning to prepare for the GDPR
This fine should act as a warning for other small and medium-sized businesses, the ICO claims. Sally-Anne Poole, ICO enforcement manager, said: “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.
“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the [EU General Data Protection Regulation (GDPR)], those fines could be a lot higher.”
The GDPR comes into effect on 25 May 2018, and any organisation found to be in breach of it could face a fine of up to €20 million (about £17.8 million) or 4% of its annual global turnover – whichever is greater.
Poole added: “For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.
“I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”
Benefits of penetration testing
Penetration testing can help protect your organisation from cyber attacks. It is also an essential part of any cyber security strategy, helping you establish whether critical processes, such as patching and configuration management, have been followed correctly.
As such, penetration testing addresses the general auditing aspects of a number of regulations, including the GDPR, the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.
IT Governance offers a number of penetration services to rank and rate vulnerabilities in your systems. We are a reputable, certified provider of tests, offering fixed-price and bespoke CREST-accredited penetration tests to help you prepare for attacks against your information assets.