From the Information Commissioner’s Office:
An online building products supplier has been fined £55,000 by the Information Commissioner’s Office (ICO) after the firm failed to protect its customers’ personal information.
Construction Materials Online Ltd (CMO) was unaware its website contained a coding error which left it vulnerable to attack. On 6 May 2014 an attacker used a common hacking technique called an SQL injection to access 669 unencrypted cardholder details including names, addresses, account numbers and security codes.
An investigation by the ICO discovered the Plymouth-based firm did not have the appropriate technical measures in place to prevent the attack. This is a breach of the Data Protection Act.
Head of Enforcement at the ICO, Steve Eckersley said:
“When people handed over their personal financial information, they rightly expected it to be safe. Construction Materials Online did not keep it safe and, as a result, exposed its customers to potential fraud.
“Its failure to make cyber security a top priority has proved a costly mistake.”
The ICO found that CMO failed to carry out regular penetration testing on its website that should have detected the vulnerability. It also failed to ensure that its own system passwords were sufficiently complex to resist a brute-force attack.
But the investigation also revealed that CMO’s failure to keep customers’ personal data safe was an oversight rather than an intentional attempt to bypass the law.
Mr Eckersley said:
“It’s not just large, household-name companies that have to consider cyber security. Cyber security must be a top priority for businesses regardless of size.
“This fine must serve as a warning to other small and medium-sized firms that the security of their customers’ personal information must come first.”
The Information Commissioner’s Office has online tools to help small and medium-sized businesses (SMEs) comply with the law.