A company supplying building products online has been fined £55,000 by the Information Commissioner’s Office (ICO) after an attacker accessed the unencrypted financial details of 669 customers including names, addresses, account numbers and security codes.
The website had been developed by a third party but contained a coding error which meant the website was vulnerable to attack. The company did not become aware of the error until a customer notified it of the problem. It subsequently received 50 complaints and enquiries from customers.
Despite the fact that the website had been developed by a third party, the company was still liable for the breach under the Data Protection Act 1998. The ICO found that the company did not have appropriate safety measures in place to protect customer data. It had not carried out regular penetration testing on its website, which would have identified the problem, nor did it ensure that passwords for the website were sufficiently robust.
The ICO found that the company’s failure was a serious oversight rather than a deliberate intention to flout the law. Nevertheless, it was a serious contravention of the seventh data protection principle of the Data Protection Act which says that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The ICO fined the company £55,000 and commented that “this fine must serve as a warning to other small and medium-sized firms that the security of their customers’ personal information must come first.”
The moral of the story? Businesses that process personal data, such as names, addresses and financial details are ultimately responsible for the security of that data, and for regularly checking that the security measures in place are appropriate. Businesses cannot rely on a third party error as a defence to a breach of the Data Protection Act.