ICO fines SME games company £60k for failing to report breach

Boomerang Video Ltd (Boomerang) has been fined by the Information Commissioner’s Office (ICO) for failing to report a data breach dating back to 2015. This fine should be a reminder to all SMEs that failure to act accordingly with data protection legislation will result in consequences.

Sally-Anne Poole, enforcement officer for the ICO, said in a statement:

“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you. 

“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”

In December 2014, Boomerang suffered a SQL injection and malware attack that resulted in 26,331 customer names, addresses, account numbers, card expiry dates and security codes being compromised.

The ICO investigation discovered that Boomerang had failed to carry out regular penetration testing, which would have kept the data secure and detected any errors. In addition, the investigation also found that “encrypted cardholder details and CVV numbers were held on the web server for longer than necessary”.

Poole added:

“For no good reason, Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening. I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”

A spokesperson for Boomerang told SC Media UK that:

“We do not agree with all the details of the ruling; however, we have accepted it and would like to apologise to any customers who were affected by this criminal attack.”

What would have happened under the GDPR?

The fines under the GDPR would have been significantly higher, as companies that fail to comply with the regulation risk being fined up to 4% of annual global turnover or €20 million – whichever is greater up to 4% of their annual turnover.

The GDPR’s definition of personal data is now also much broader than under the Data Protection Act (DPA). Article 4 states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. It adds that:

“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Read more on how the definition of personal data will change under the GDPR.

IT Governance has all the resources you need to comply with the GDPR, including those for raising staff awareness.

A key component of any organisation’s GDPR compliance framework is staff awareness and education. With the Regulation stipulating significant fines for non-compliance, it is essential that your staff have an understanding of the new Regulation’s requirements.

Are your staff aware of the GDPR?

The GDPR Staff Awareness E-learning course is a quick, affordable and effective means of delivering training to multiple learners. The course is suitable for all employees whose job involves processing and storing personal data and also for non-technical staff.

Make sure your organisation is fully GDPR-compliant by enrolling your staff onto the GDPR Staff Awareness E-learning course.