ICO fines Boomerang Video Ltd for failure to prevent cyber attack

On 27 June 2017, the Information Commissioner's Office (ICO) fined Boomerang Video Ltd (Boomerang) £60,000 after an investigation found that the SME had failed to take basic steps to stop its website being attacked.

The facts

Boomerang enables customers to rent video games through a payment application.  A third party company developed the website in 2005 but Boomerang failed to identify a coding error on the login page.  Boomerang's website was subject to a cyber-attack in 2014, in which 26,331 customer details could be accessed. The attacker used a common technique known as an SQL injection to access the data.

The decision

The ICO’s investigation found that Boomerang had failed to comply with the Data Protection Act 1998 (DPA) for the following reasons:

• Boomerang failed to carry out regular penetration testing on its website that should have detected errors
• the firm failed to ensure the password for the account on the Wordpress section of its website was sufficiently complex allowing the attacker to upload a web shell onto the server
• Boomerang had some information which was stored unencrypted, and that which was encrypted could be accessed because it failed to keep the decryption key secure
• encrypted cardholder details and CVV numbers were held on the web server for longer than necessary

Whilst the ICO took into account several mitigating features, it also took into account the following aggravating features:

• Boomerang was not aware of the security breach until over one month after the attack, when it was notified by its customers
• Boomerang had assessed itself to be compliant with the “Payment Card Industry Data Security Standard” despite not carrying out penetration testing on its website
• Boomerang received almost 1,100 complaints and enquiries as a result of the cyber-attack.

The ICO considered that Boomerang’s contravention was serious, that it ought to have been aware that contravention would have occurred, that there was “no good reason” to explain why reasonable steps had not been taken to prevent the contravention and such contravention was likely to cause substantial damage and distress.  A monetary penalty was therefore issued under s.55A of the DPA.

The ICO said in its Monetary Penalty Notice:

“Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers.  Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers”.

Why is this important?

As organisations look to prepare themselves for the introduction of the General Data Protection Regulation (GDPR) in May 2018, the fine provides a timely reminder of the existing requirements which must be met to protect customer information from data breaches.  If businesses are judged to have contravened data protection legislation, then the ICO will not hesitate to hand out penalties designed to be taken seriously.  It is also probably worth noting that for the most serious violations of the forthcoming GDPR, the ICO will have the power to fine companies up to €20m or 4% of a company's total annual worldwide turnover for the preceding year.  Add in the loss of consumer trust, plus the potential for civil claims for data violations (e.g. for distress), and the total cost/damage could prove substantial, if not terminal to smaller companies.

Any practical tips?
Ensure the tech teams are aware of the knock on effect of a failure to fix common coding errors. And if you’re buying a company, make sure that the corporate team focuses on including the relevant representations and warranties to enable recovery should the worst happen (e.g. from a data hack) post acquisition.