The United Kingdom’s Information Commissioner’s Office (ICO) has slapped Boomerang Video Ltd. (BV), a company that rents out video games, with a £60,000 fine. The monetary penalty is the result of a 2014 data breach in which personal details of 26,000 people were stolen.
The fine deserves another look because BV’s data breach was the result of an attack; it is not an instance of the “breachee” having a hand in the data breach, e.g., never changing the default password or using software that was out of date. Nothing that foolish.
At the same time, BV certainly could have done much, much better to secure their online presence.
SQL Injection Attack
As the ICO notes, the breach took place via a SQL injection attack. This in turn allowed hackers to guess a password “based on the company’s name,” allowing access to the company’s servers. Of course, once inside, all sorts of shenanigans took place.
The hacker (or hackers) was aided by certain practices that BV engaged in, as listed by databreaches.net:
- Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors.
- The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex.
- Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure.
- Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary.
The above is not a full list (for example, they also stored cards’ security codes, which are prohibited once payment is processed). But, it already paints quite a picture.
What may be surprising to most Britons is the level of security awareness a business must have, even if they happen to be a small- or medium-sized enterprise. SQL attacks, password complexity, penetration testing, securing encryption keys… these are not terms one is generally familiar with. You may hear it here and there once in a while, maybe even have a passing knowledge of what it may entail.
But actually doing it? Some of the listed practices lie firmly in the realm of professionals who charge a lot of money for their services. Unsurprisingly, business that are not necessarily raking it in do not seek or engage the necessary help that is required to protect their clients (and to meet the law’s standards).
On the other hand, BV’s website debuted in 2005, and “remedial action” to secure the site was taken in 2015. That’s a long time to go without checking whether things are secure, especially considering what the internet has morphed into: among other things, a speedy region where data crimes blossom with greater severity every passing second.
The lesson to be parted with in this instance comes not in the insight you can glean from the nature of BV’s digital sins and the monetary fine it was levied with, but from the ICO’s enforcement manager’s own words:
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.
“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
The government is sending a signal, loud and clear, and in oh-so-many ways. Are businesses listening?
Related Articles and Sites: