Save content
Have you found this content useful? Use the button above to save it to your profile.
cyber attack image
istock_mattjeacock_aw

ICO fine highlights data risks

by
5th Jul 2017
Save content
Have you found this content useful? Use the button above to save it to your profile.

Data laws are changing next year and the ICO is getting tough on those whose data is breached. Is now the moment to review your data handling? Christian Annesley reports.

Last week the Information Commissioner’s Office (ICO) fined a small business £60,000 for suffering a cyber-attack because it failed to take basic steps to stop its website being hacked.

The fine and the reputational damage to Boomerang Video, based in Reading, is a considerable hit – and should surely be taken as a warning by finance directors and SME boards to get serious about cybersecurity, not just to prevent attacks but because from late May next year a new set of UK data laws will apply (called GDPR; see explainer at the end of this article).

In the circumstances, being found wanting in relation to data and best practice guidance isn’t really an option.

Strong statements

The ICO’s robust statements in relation to Boomerang’s failures also put things in sharp focus

Sally Anne Poole, ICO enforcement manager, said: “Regardless of your size if you are a business that handles personal information then data protection laws apply to you.

“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”

Poole says Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.

The video game rental firm’s website was subject to a cyber attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as SQL injection to access the data.

The ICO’s investigation found:

  • Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
  • The firm failed to ensure the password for the account on the Wordpress section of its website was sufficiently complex
  • Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
  • Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary

Poole says: “For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.

“I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”

‘Hard to stay ahead’

Mark Allbutt, technical director at Probrand, an IT services and marketplace business, says cyber security is climbing the agenda of SMEs in the face of a rising number of incidents, but the danger is that the criminals are often one step ahead.

“Today hackers are looking to new tactics including the hiring of moles or internal spies – such as former or existing employees – to pinpoint weaknesses within the businesses and tap into data in return for a monetary sum or other incentives,” he said.

So what’s the best way to limit the risks, with potential attacks coming in from all sides?

“For smaller businesses, which may not have a dedicated IT department, it’s important to educate staff about the possible ways the business can be subjected to an attack. It may be something as simple as clicking on an infected pop-up or visiting an infected site. Similarly, it’s important to be aware of any remote access that a business or individual may have to your device, including any visitors to the building that may be using a USB port to download a presentation, for example.”

Allbutt says the issue often boils down to education, because “there’s little point in maintaining security technologies if staff are only going to disable it in order to gain access to a site that is being flagged as potentially dangerous. In promoting the danger of possible threats from the inside out, businesses can create a ‘think twice’ mentality that goes some way in reducing their vulnerability.”

For SMEs, the big thing is to promote proper awareness, reckons Allbutt, since many SME business owners see their business as too small to be of interest to cybercriminals – or think that the data they hold simply isn’t of important enough. Boomerang’s attack shows up the shortsightedness of that presumption.

“Large corporations certainly create the headlines, but SMEs are hugely at risk. It’s crucial that SMEs regularly check and update security measures to ensure that they aren’t relying on a legacy system. If nothing else, you have to keep software up-to-date and take steps like penetration testing.”

Chris Pallett, MD of Bespoke Computing, goes a step further in his assessment of the risks.

“Cyber-attacks on businesses are evolving. It’s like an arms race between attackers and defenders. One of the most horrifying scenarios for any SME is to be the victim of what is known as a 'supply chain attack', whereby the lack of security is used as an entry point to compromise a bigger client of the SME. If you supply services to a big brand and then you let the thieves in that's likely to be the end of your business very quickly,” he cautions.

If all the warnings make cyber-security sound like an insurmountable problem, the bigger message is that the resources are now available to make things easier.

Professor Richard Benham is part of this change movement, establishing in 2014 the UK’s first national MBA on cyber-security – and like others, he says education is at the heart of the message.

“This is not a technical issue but a management issue: our managers and leaders countrywide need a better understanding of the risks.”

 

Seven steps to protect your business

 

  • Make sure your computers are configured securely: At the most basic level, this can be done by making sure that your web browser and email software is configured.
  • Choose strong passwords and keep them safe: And if you notice anything suspicious, change your password straight away
  • Use security software: Firewalls are your first line of defence against threats and antivirus software should protect against malicious programs.
  • Keep software up to date: By staying on top of patching and updates you make it more difficult for would-be attackers to take advantage of flaws.
  • Keep an eye on your financials: The impact of any theft or fraud can be minimised if it is caught early enough. If you spot anything suspicious, contact your bank immediately.
  • Protect your data: Ensure that sensitive data is stored in an ISO 27001 secure environment.
  • Train staff: As threats become more sophisticated, employees are increasingly the largest cause of security breaches. So manage staff permissions well and make sure all staff know what to look out for by creating an information security policy.

 

Source: Jelf Insurance Brokers

 

What is GDPR?

From May 2018, new data laws will apply in the UK under the General Data Protection Regulation (GDPR).

This regulation is intended to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU and is designed to give citizens back control of personal data while simplifying the regulatory environment for international business.

If this sounds like a headache, the message from every informed corner is that it doesn’t have to be. It’s important for companies not to view this work as a burden. The experts agree that the legislation is well-framed and is a good jumping-off point for those looking to exploit data for commercial advantage.

The Information Commissioner’s Office (ICO) has also issued step-by-step guidance for businesses to approach the changes in good time.

Tags:

Replies (4)

Please login or register to join the discussion.

avatar
By AndrewV12
06th Jul 2017 10:21

OOOhhh dear Boomerang Video probably had loads of details on its customers including Bank accounts and payment accounts, and regrettably it had 26,000 customers.

Protection personal data, oh my gosh, how far do you go.

Thanks (1)
Replying to AndrewV12:
Tom Herbert
By Tom Herbert
06th Jul 2017 10:46

It's a pretty shocking example - the report states that most of their passwords were 'Boomerang'. Slightly better than 1234 or abcd, but not much :-/

Thanks (0)
Replying to TomHerbert:
By Democratus
06th Jul 2017 12:18

That's my password "1234 or abcd" How did you get it Tom?

Thanks (2)
Replying to Democratus:
Tom Herbert
By Tom Herbert
14th Jul 2017 14:51

;-)

Thanks (0)