Who: Boomerang Video Ltd. (“Boomerang”) and the Information Commissioner’s Office (“ICO”)
Where: UK
When: 27 June 2017
Law stated as at: 7 August 2017
What happened:
Boomerang is an SME that runs a website allowing customers to buy and rent video games. Boomerang’s website contained a coding error which allowed a hacker to use SQL injection to gain access to the personal data of over 26,000 Boomerang customers, including their card details (name, address, expiry dates and CVV security code numbers), usernames and passwords.
The coding error remained undiscovered for approximately ten years, due to what the ICO held to be Boomerang’s failure to undertake appropriate technical and organisational measures to protect its customers’ personal data. In particular, the ICO found that Boomerang had failed to (i) carry out regular penetration testing on its website; (ii) ensure that passwords were sufficiently complex to be resistant to brute-force attack on the stored hash values; and (iii) keep the decryption key secure and prevent it being accessed by the attacker.
The ICO was of the opinion that, although SQL injection is a common technique used by hackers, they are also well-understood by information security practitioners and there are well-known defences that can easily be used to protect against such attacks, even by SMEs. As a result, there were simple and reasonable steps that Boomerang had failed to take in order to protect the personal data of its customers and the ICO issued Boomerang with a fine of £60,000 for breaching the Data Protection Act.
Why this matters:
This enforcement action by the ICO goes to show that size of the company does not affect the importance of protecting personal data within the company’s control. No matter the size the company, appropriate technical and organisational measures must be taken to ensure that personal data is protected and processed in accordance with the law.
The security measures that a company takes in order to protect personal data should take into account the state of the art, the cost of implementation and should be proportionate to the nature, scope, context and purposes of processing in respect of the potential risks for the data subjects.
Data protection compliance is now more important than ever before. With the implementation of the GDPR fast approaching (25 May 2018) the accompanying dramatic increase in potential fines, from £500,000 to €20,000,000 or 4% of global annual turnover (whichever is the greater), companies of all sizes should be conducting information security audits in order to ensure that their data security measures and data privacy infrastructures are up-to-scratch.