GDPR Fines Are Happening In The UK
Cybersecurity has been a ubiquitous subject lately and we all may be suffering from info overload. If your company has failed to implement basic cybersecurity, and your website takes a hit, the Information Commissioner’s Office can hand out a fine.
With GDPR coming into force next year, a cyber attack fine could become a lot higher, have a look at our previous blog GDPR the Costs.
Boomerang a UK SME is now counting the costs having been fined £60,000 for cybersecurity failings. This is definitely a wake-up call for other UK businesses.
Boomerang Video allows customers to rent video games online, payable through a web application. It was the victim of cybercrime in 2014, which saw the details of 26,331 customers accessed. On the surface, the attack didn’t differ too much from those on larger companies throughout the year, WONGA, Talk Talk, Debenhams. Most were just warned in some way, mostly for not letting customers know about the breach immediately.
Boomerang was handed a cyber attack fine of £60,000 – not something you expect to be given after someone hacks your website. Here are the reasons why:
1. Boomerang used a third party to develop the website and it had a security flaw.
2. The site was based on WordPress and you need to be constantly updating security for the world’s most popular WB site tool see our blog WordPress Security
3. Boomerang apparently ignored guidelines on credit card data storage and kept records of names, addresses, primary account numbers, expiry dates and security codes
4. In particular “security code” storage is a No-No according to the Information Commissioner “Industry guidelines prohibit the storage of the security code after payment authorisation. Boomerang failed to carry out regular penetration testing on its website, which should have detected the error. It also didn’t ensure the password for the WordPress account was sufficiently complex to be resistant to a brute-force attack”
The ICO has made an example of Boomerang to remind bosses that no one is exempt from the law. Have a look at the ICO explanation
The ICO states “Regardless of your size, if you are a business that handles personal information then failure to take responsibility will land you with a cyber attack fine. And with GDPR coming into force next year, a cyber attack fine could become a lot higher.”
Experts are warning that SMEs are ill-prepared, or not listening. Find out What can you do? here.