SME firm hit by cyber-attack and fined £60,000 by the ICO5th July 2017
In recent news, cyber-attacks have been a major topic of concern across the UK and indeed the globe.
After an investigation, the ICO found Berkshire-based, Boomerang Video Ltd failed to take simple steps to prevent its website from being attacked. The video game rental business, was the victim of a cyber-attack in 2014, commonly known as the SQL injection attack. Due to a lack of cyber security 26,331 customers had their personal details compromised.
ICO Enforcement Manager, Sally Anne stated:
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.”
“If a company is subject to a cyber-attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
If you are an SME you must comply with the existing Data Protection Legislation to ensure that you don’t receive any potential fines, and with the new GDPR coming into force in 2018 it is now more important than ever that you check to ensure your compliance.
The investigation into Boomerang Video Ltd completed by the ICO found:
- A failure to carry out regular penetration testing on their website – leaving unknown errors not being detected.
- A failure to force customers to create and use sufficiently complex passwords.
- The failure to encrypt sensitive information, and even when encrypted, the decryption key for information was easily accessible to hackers.
- The failure to encrypt credit card data, including cardholder details and CVV numbers which were kept on the web server for longer than they should have been.
Are you guilty of any of the above? If so, it is essential that you revist your procedures immediately.
From this, SME’s should now understand how crucially important it is to comply with data protection legislation. The protection of customer’s and employee’s data should be taken very seriously. Guidance and advice is available to ensure your business is continually in compliance with the current implementation of GDPR, and future-proof you against forthcoming changes.
Griffin House Consultancy are here to provide you with all the training and knowledge your company needs to comply with GDPR. If you would like more information on how to protect your business please contact us on 01673 885533 or email [email protected]