back to article Racing Post escapes ICO fine after leaking info of 677K punters

UK sports-betting newspaper the Racing Post has received a stern warning – but not a fine – after it emerged that it had aired the private details of more than 677,000 customers as the result of a security breach last year. The October 2013 snafu resulted in the exposure of the names, addresses, passwords, dates of birth and …

  1. Anonymous Coward
    Anonymous Coward

    Useless Buggers

    These guys are utterly useless; their site is dreadful as the data is often wrong, out of date, showing the wrong horses running, showing the wrong results and even sometimes the wrong races.

    And to think that I am trying to make a living out of this game.

    AC because they may close my account as they don't like people rocking the boat.

    1. Alan Brown Silver badge

      Rule in all gambling:

      There's only one winner - the House.

  2. Sureo

    Legal penalty = nil, customer concern = nil, consequence to business = nil

  3. Vimes

    Compare and contrast with the £180,000 handed to the MoJ for failing to encrypt hard drives. Funny how the fines skyrocket when public authorities funded by the tax payer are involved. The more cynical amongst us might be tempted to come to the conclusion that the ICO is little more than a mechanism for the government to claw back funding.

    How is failing to secure a website any better than failing to secure the hardware?

  4. Anonymous Coward
    Anonymous Coward

    It was a commercial company that screwed up...

    ... so the ICO is under strict orders to touch them lightly with a Feather Duster in such cases.

    1. The BigYin

      Re: It was a commercial company that screwed up...

      Indeed, just like banking. Can't interrupt criminals at work.

      Why there isn't a flat fee per individual I don't know.

      Non-identifying info - £1 per record

      Communication info [cyber] - £2 per address

      Communication info [real] - £5 per number

      Identifying info [minor] - £10 per record (e.g. name and city - probably not enough to be truly unique)

      Identifying info [reversible] - £50 per record (e.g. when combined with another readily available dataset, it become trivial to uniquely identify a person; name, postcode, d.o.b)

      Identifying info [full] - £100 per record (without reference to any other dataset, it is possible to uniquely identify someone)

      Add in some other entries for financial etc and you can simply calculate a fine, which could well be ruinous even for a small breach (e.g. "Racing Post" could have been on to a £6.7million pound fine). AND THAT'S A GOOD THING!


      Well, it will make companies seriously consider if they need to collect that information at all; rather than just doing the data-rape land-grab they do now.

      1. Alloqui Strix

        Re: It was a commercial company that screwed up...

        I think this is a great idea; this way there is no ambiguity and the 'public funded companies' wouldn't be the cash cow for the ICO.

        It is interesting the point you made about local government agencies against private companies; I'll keep my eye out for that in future.

  5. Alister Silver badge

    I would hazard a guess that, as is usual in these cases, the website is the product of some design / web agency, and not directly produced by the Racing Post.

    If that is the case, it should be the agency that gets hammered, not the headline company, or they'll just keep churning out the same old rubbish.

    In this day and age, writing a site that is susceptible to SQL injection is just unforgivable.

    1. silent_count

      “If that is the case, it should be the agency that gets hammered, not the headline company, or they'll just keep churning out the same old rubbish."

      That would leave the headline company with absolutely no incentive to perform any kind of due diligence.

      "Yeah look. We hired the CEO's four year old nephew to design and implement the website. We paid him in Fruit Loops and performed no testing of any kind. How could we know the website would leak customer data?"

      If the Racing Post, or any other mob, chooses to have a website, the buck *should* (well played ICO) stop with them.

  6. Version 1.0 Silver badge

    Sub contract escape

    This is the way to do business these days - sub-contract everything and take responsibility for nothing.

  7. phuzz Silver badge

    No comments about what a mare the Racing Post website is? Or how it's got knackered security?

    No quips about laying long odds of it happening again, or asking who dobbin'd them in to ICO?

    No horse racing puns at all commentards? FOR SHAME!

    1. gerryg

      neigh, lad

      why look a gift horse in the mouth?

  8. Harry Stottle


    tried to upvote your comment but my upvote seems to have disappeared.

    In any case, I fully support your proposed approach (we can haggle over amounts but the principle is sound). In 2008, I created an authentication system for a security firm who were obliged to check the paperwork for any casual labour they hired to ensure they had employment rights in the UK. The only thing that forced the firm to take the matter seriously was the prospect of a fine for failure to demonstrate their checks had been carried out, as prescribed in law (we'll gloss over the Security Theatre involved). That fine was a non negotiable £10k PER INDIVIDUAL failure. That made them sit up and take notice...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019