Close

Home > News > SMEs urged to review website security

SMEs urged to review website security

11 July 2017 |

A recent decision by the ICO has seen a small business, Boomerang Video Ltd (Boomerang) fined £60,000 for a serious breach of the Data Protection Act 1998 (DPA) by not taking appropriate steps to safeguard personal data in their possession. 

Following their decision, the ICO issued a press release warning SMEs that “regardless of your size, if you are a business that handles personal information then data protection laws apply to you.”

Background

Boomerang operates a website enabling customers to rent video games. Boomerang used a third party to develop the website and was unaware of a coding error in the login page. In 2014, that coding error allowed a successful and very common attack using SQL injection, to obtain access to the usernames, passwords and personal data of over 26,000 Boomerang customers, including encrypted and unencrypted cardholder details.

Failures

Particular issues which the ICO cited were Boomerang’s failures to:

  1. carry out regular penetration testing on its website (which should have picked up the coding error);
  2. ensure that the password for access to part of the website was sufficiently complex to be resistant to a brute-force attack; and
  3. keep the decryption key secure and prevent an attacker accessing it.

These failures were in existence from the website’s inception in 2005 until 12 January 2015 when Boomerang finally took remedial action.

Monetary Penalty

The ICO was satisfied that the hurdles set by the DPA to issue a monetary penalty for the breach had been passed on the basis that:

  • it was sufficiently serious;
  • it was of a kind likely to cause substantial damage or distress;
  • Boomerang ought reasonably to have known that there was a risk of such a contravention occurring; and
  • Boomerang had failed to take steps to prevent the attack.

Commentary

SMEs should note that as a ‘data controller’ under the DPA, Boomerang was liable for the ICO’s fine despite having used a third party to develop the website. It is therefore worth checking whether any third party developer is familiar with good industry practice in developing secure websites and web applications and review their terms and conditions of business to see whether they provide any warranties in this regard.

The General Data Protection Regulation (GDPR) which comes into force on 25 May 2018, retains the ‘seventh principle’ of the DPA, which requires organisations to ensure that personal data are kept secure and protected against unlawful processing.

The ICO published a guide to protecting personal data in online services some time ago, which a helpful resource. 

If you have any queries or concerns arising from this article in relation to your own business, you can read more about our Data Protection services or contact us.

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.

  • What can we help you with?

  • This field is for validation purposes and should be left unchanged.
Close