Last week (27th June 2017), the Information Commissioner’s Office (ICO) announced they issued a huge fine to an SME who had been a victim of a cyber-attack. This brings home the fact that all of us, whatever size our business, need to ensure we are compliant with data protection regulations.
Here is the scenario… could any of this apply to you?
Are you certain your business complies with GDPR? Can you afford a fine from the ICO?
On the 5th December 2014, medium sized Berkshire-based, Boomerang Video Ltd became the victim of a cyber-attack most commonly known as SQL injection. Boomerang were not aware of the attack until the 9th January 2015. An investigation by the Information Commissioner’s Office (ICO) found failure of compliance with the Data Protection Act 1998 – leading Boomerang Video Ltd to receive a fine of £60,000.
Boomerang Video Ltd enables customers to rent video games through a payment application. A third party company developed the website in 2005 and failed to identify a coding error on the login page.
In 2014 a cyber-criminal took advantage of this, compromising customers’ personal data. The company failed to provide a complex password for the content management system WordPress, allowing the attacker to upload a web shell onto the server and gaining access to individual’s personal data.
Boomerang also failed to keep the decryption key secure and therefore enabled the attacker to easily gain access to encrypted data. 26,331 cardholder details including names, addresses, primary account numbers, expiry dates and security codes were compromised. As a result of this Boomerang Video Ltd received approximately 1,100 complaints and enquiries – resulting in massive damage to their reputation.
ICO Enforcement Manager, Sally Anne Poole, said:
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you. If a company is subject to a cyber-attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher…
I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”
With the continuous rise of cyber threats to large and small businesses, it is time to take this matter seriously. Don’t let it be you.
Can you afford a £60,000 fine and for your reputation to be damaged?
The Trust Insurance Group can provide you with both preventative advice and also a specialist cyber insurance policy which covers you for breach costs including reputation damage, business interruption, ransoms and fines.
If you would like more information on how to protect your business from a cyber-attack please call us today on 01476 434050 or email firstname.lastname@example.org.