While most businesses are pleased to receive free publicity, spare a thought for Berkshire-based Boomerang Videos. Not only did the firm’s website suffer a cyber attack in 2014, but last month they were the subject of an Information Commissioner’s Office (ICO) press release following its investigation into the attack. The ICO’s release cited the £60,000 fine they had imposed on Boomerang as well as providing details of the company’s failure to protect its 26,331 customers. Now we are all aware of the significant gaps in the company’s defences. The long term impact on the firm’s reputation can only be guessed.
The ICO’s investigation found:
- Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors;
- The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex;
- Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure;
- Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary.
Sally Anne Poole, ICO enforcement manager said: ‘Regardless of your size, if you are a business that handles personal information then data protection laws apply to you. If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.’
So what can be done to prevent such damage to a company’s reputation and its bottom line? The ICO has produced a range of guidelines to help businesses with the implementation of GDPR. This includes website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations.
There are also a number of standards which can provide guidelines for good practice, including Cyber Essentials and PCI compliance but a discussion with an experienced information security professional is an even better start. As we get ever closer to GDPR’s enactment next May (yes just 285 days away), every business that has any level of customer data needs to go even further in developing its cyber defences. Simple adherence to existing standards does not go far enough.
SRM has a wide range of knowledge and practical experience. Our teams are GDPR trained by GCHQ and work with clients to build robust and cost-effective defences. Because hackers are ingenious and constantly changing their tactics, breaches can and do occur, however, but with appropriate defences in place a business would be much better placed when it comes to an ICO investigation. Our consultants are ready to help you understand the risks to your information and to provide the strategic and practical guidance to manage that risk effectively.