Cyber attack victim fined £60,000 for insufficient data protection

October 26, 2017

Failure to secure customer and employee information can have serious ramifications for small and medium sized businesses, as a Berkshire-based video game rental firm learned recently.

The victim of a cyberattack, Boomerang Video Ltd faced a £60,000 fine after an investigation by the Information Commissioner’s Office (ICO) revealed the company had failed to adequately take steps to prevent its website from being compromised.

In 2014, the website of Boomerang Video Ltd. was subject to a cyberattack. In the course of this attack, the details of 26,331 customers could be accessed by the attacker through a common technique known as SQL injection.

An investigation conducted by the ICO found:

  • Boomerang video failed to carry out regular penetration testing on its website that should have detected errors.
  • The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex.
  • Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure.
  • Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary.
  • Concluding this investigation, the ICO decided to issue a monetary penalty of £60,000 to Boomerang Video Ltd. under section 55A of the Data Protection Act 1998.

The severity of the fine imposed here by the ICO constitutes a powerful warning to small and medium sized businesses. Proactive effort in protecting personal data of individuals including customers and employees is a necessity for businesses of every scale.

Further, with the introduction next year of the General Data Protection Legislation (GDPR), ensuring compliance with data protection legislation is now more important than ever. Under the incoming legislation, penalties for any failure to comply with data protection law could be even greater. As noted by ICO enforcement manager, Sally Anne Poole, “…under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”

Michael Black, Employment and Immigration Director, Cleaver Fulton Rankin

Click here to sign up to our “GDPR – What HR Staff Need to Know” Seminar on 30 November 2017 (£40 plus VAT)