AN ALDERMASTON-based company has been fined £60,000 for failing to protect customers’ data from a cyber attack.
Video game rental site Boomerang Video Ltd, based in Calleva House, was hit by the attack in 2014, which led to the details of 26,331 customers being accessed.
The Information Commissioner’s Office (ICO) ruled that the company had failed to take basic steps to stop its website being attacked.
The attacker used a common technique known as SQL injection to access data on the website, which was developed in 2005 by a third party company.
The ICO report said that Boomerang Video was unaware that the login page contained a coding error.
The attacker downloaded files containing cardholder details and, although part of the account numbers were stored unencrypted, the attacker was able to gain access to the decryption key with ease.
Boomerang only became aware of the attack when customers notified it on January 9, 2015.
ICO enforcement manager Sally Anne Poole said: “Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers.
“Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”
An investigation found that the company failed to carry out regular testing that should have detected the errors.
It also failed to ensure that the password for the Wordpress section of the site was sufficiently complex.
Boomerang stored some encrypted information on the site and it also failed to keep the decryption key for encrypted data secure.
The report added that encrypted cardholder details and security numbers were held on the web server for longer than necessary.
Ms Poole said: “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.
“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO.
“And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.
“For no good reason, Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.
“I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”
The ICO noted that Boomerang Video had reported this incident to the commissioner and was co-operative during the investigation.
The commission said the company had taken substantial remedial action and recognised that a fine could have a significant impact on its reputation and, to some extent, its resources.
Boomerang Video was asked for comment, but did not respond before this paper went to press.