SMEs urged to review website security
A recent decision by the ICO has seen a small business, Boomerang Video Ltd (Boomerang) fined £60,000 for a serious breach of the Data Protection Act 1998 (DPA) by not taking appropriate steps to safeguard personal data in their possession.
Following their decision, the ICO issued a press release warning SMEs that “regardless of your size, if you are a business that handles personal information then data protection laws apply to you.”
Boomerang operates a website enabling customers to rent video games. Boomerang used a third party to develop the website and was unaware of a coding error in the login page. In 2014, that coding error allowed a successful and very common attack using SQL injection, to obtain access to the usernames, passwords and personal data of over 26,000 Boomerang customers, including encrypted and unencrypted cardholder details.
Particular issues which the ICO cited were Boomerang’s failures to:
- carry out regular penetration testing on its website (which should have picked up the coding error);
- ensure that the password for access to part of the website was sufficiently complex to be resistant to a brute-force attack; and
- keep the decryption key secure and prevent an attacker accessing it.
These failures were in existence from the website’s inception in 2005 until 12 January 2015 when Boomerang finally took remedial action.
The ICO was satisfied that the hurdles set by the DPA to issue a monetary penalty for the breach had been passed on the basis that:
- it was sufficiently serious;
- it was of a kind likely to cause substantial damage or distress;
- Boomerang ought reasonably to have known that there was a risk of such a contravention occurring; and
- Boomerang had failed to take steps to prevent the attack.
SMEs should note that as a ‘data controller’ under the DPA, Boomerang was liable for the ICO’s fine despite having used a third party to develop the website. It is therefore worth checking whether any third party developer is familiar with good industry practice in developing secure websites and web applications and review their terms and conditions of business to see whether they provide any warranties in this regard.
The General Data Protection Regulation (GDPR) which comes into force on 25 May 2018, retains the ‘seventh principle’ of the DPA, which requires organisations to ensure that personal data are kept secure and protected against unlawful processing.
The ICO published a guide to protecting personal data in online services some time ago, which a helpful resource.