Boomerang gets £60,000 cyber attack fine for “basic” failings
If your company has failed to implement basic cyber security, and your website takes a hit, the Information Commissioner’s Office can hand out a fine.
With GDPR coming into force next year, a cyber attack fine could become a lot higher, have a look at our previous blog GDPR the Costs.
Boomerang a UK SME is now counting the costs!!
Cyber security has been a ubiquitous subject lately and we all maybe suffering from info overload.
Here is a wake up call!!
Experts are warning that SMEs are ill-prepared, or not listening. Find out What can you do? here.
Now perhaps they will as the company subject to the fine Boomerang Video, allows customers to rent video games online, payable through a web application. It was the victim of cyber crime in 2014, which saw the details of 26,331 customers accessed.
On the surface, the attack didn’t differ too much from those on larger companies throughout the year, WONGA, Talk Talk, Debenhams
Most were just warned in some way, mostly for not letting customers know about the breach immediately.
Boomerang was handed a cyber attack fine of £60,000 – not something you expect to be given after someone hacks your website. Here are the reasons why:
1.Boomerang used a third party to develop the web site and it had a security flaw.
2.The site was based on WordPress and you need to be constantly updating security for the world’s most popular WB site tool see our blog WordPress Security
3.Boomerang apparently ignored guidelines on credit card data storage and kept records of names, addresses, primary account numbers, expiry dates and security codes
4.In particular “security code” storage is a No No according to the Information Commissioner “Industry guidelines prohibit the storage of the security code after payment authorisation. Boomerang failed to carry out regular penetration testing on its website, which should have detected the error. It also didn’t ensure the password for the WordPress account was sufficiently complex to be resistant to a brute-force attack”
Have a look at the ICO explanation
The ICO has made an example of Boomerang to remind bosses that no one is exempt from the law.
The ICO states “Regardless of your size, if you are a business that handles personal information then failure to take responsibility will land you with a cyber attack fine. And with GDPR coming into force next year, a cyber attack fine could become a lot higher.”