Information Commissioner's Office toughens stance on SME data breaches with latest fine

Posted by Andrew Ogilvie in Security

There is much talk and coverage in the IT industry at the moment about businesses needing to prepare for
the  General Data Protection Regulation (GDPR), a new EU law that will replace the Data Protection Act 1998
in the UK from 25 May 2018.

For SMEs the main concepts and principles in GDPR are unchanged from the Data Protection Act. But SMEs, particularly those handling any sort of sensitive data, should still pause and review now their existing obligations under the existing Data Protection Act as the Information Commissioner's Office (ICO) are now clearly intent on enforcing both the current and forthcoming new regulations more rigorously.

The latest example concerns Boomerang Video, a relatively small video game rental company, which suffered a data breach involving customers' personal data and credit card details.

Thieves used a SQL injection vulnerability to gain access to the company's webserver holding customers' private data and some 26,000 credit card records. Remarkably the card data stolen included card CVV codes which PCI rules explictly states should not be stored.

Specific failings included
- no regular penetration tests
- a password was in use that was not complex and therefore vulnerable to a brute force attack
- decryption keys were not secured.

The failure was deemed to be of a kind likely to cause substantial damage or distress, indeed some of the customers were subsequently exposed to fraud.

ICO have now fined Boomerang Video £60,000 under section 55A of the Data Prevention Act 1998, citing a contravention of the seventh data protection principle.

The seventh data protection principle is

"Appropriate technical and organisational measures
 shall be taken against unauthorised or unlawful processing of personal data
 and against accidental loss or destruction of, or damage to, personal data”.


"the measures must ensure a level of security appropriate to –
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected".

Sally Anne Poole, ICO enforcement manager, commented

"Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.  

If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.

Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers."

Any business that processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate and up to date;
  • not kept for longer than is necessary;
  • processed in line with your rights;
  • secure; and
  • not transferred to other countries without adequate protection.