back to article Pwned UK SME fined £60K for leaving itself vulnerable to hack attack

A small UK company that suffered a cyber attack has been fined £60,000 by the Information Commissioner’s Office (ICO). An investigation by the ICO found Berkshire-based Boomerang Video failed to take basic steps to stop its website being attacked, a hacking incident that led to the exposure of the personal details of 26,000 …

  1. Will Godfrey Silver badge
    Unhappy

    OK

    Seeing as government and big business have got their act totally together and never ever make such silly mistakes, it's high time the little guys were brought into line /s

    1. Phil W

      Re: OK

      Your point certainly has some merit morally, but equally it kind of rings of the childish excuse "but everyone else was doing it", just because no-one else is complying with the rules properly doesn't mean it's ok for you not to as well.

      There's also an argument that if you're a small operation then you have fewer systems to maintain and therefore securing them, and testing that security should be much simpler.

      Big corps have a lot more systems which can be a lot more complex and therefore harder to secure and security test. Not that that is any excuse of course, big corps should also have the resources to tackle such things, either internally or by outsourcing, but it is easier to understand how the odd thing could slip through the net where as in this case it's a small outfit who've failed to take even basic precautions.

    2. adnim Silver badge

      Re: OK

      You have a point.

      However: If one gets hacked and exposes the personal information of ones clients to an unauthorised third party, it is not the fault of a company or government that was taking similar and as lax precaution as oneself...

      It's YOUR fault.

      1. Yet Another Anonymous coward Silver badge

        Re: OK

        What if the attackers were a foreign inteligence agency using zero day exploits that your own security service hadn't published?

        If I got hit by a N Korea ICMB would that be my fault for not securing a proper ABM defence ?

        1. big_D Silver badge
          Facepalm

          Re: OK

          On the other hand, SQL Injection was a "zero day" back in the 90s, before the term was even invented!

          Sanitizing input for the database has been SOP since the late 90s, there is absolutely no excuse for it in 2017! Any programmer who doesn't check for this in his own testing should be strung up by his short and curlies!

          A zero day is different, this is an unknown attack vector at the time the system was implemented / since the last patch. You can't really defend against that, other than making sure that everything else is secure. In that case, you probably won't get a fine.

          But failing to check your systems are compliant with Security 101 from the 1999 edition of the guidelines is simply criminal. Not properly securing the private key for encrypted data is dilettantish at best.

        2. EuKiwi

          Re: OK

          You're missing the point - in this case they failed to test/check penetration with regard to known vulnerabilities. Otherwise how could it have been determined that they hadn't defended against them?

        3. Lotaresco

          Re: OK

          "If I got hit by a N Korea ICMB"

          An Ice Cream Meringue Bombe? An Insanely Clever Mystical Book?

          BTW, you may want to look at this Wikipedia page: List of fallacies

          Your argument falls into the categories of "False equivalence" and "Tu quoque" with an element of "Vacuous truth". Quite a haul of fallacies for two sentences.

  2. Kernel Silver badge

    Alternative result

    "The ICO hopes the enforcement action (pdf) will not prompt other small businesses to review their security policies sweep all traces all traces of future breaches under a very large and heavy carpet."

    1. FlamingDeath Bronze badge

      Re: Alternative result

      That's pretty much what will happen in most cases when a profit driven business is faced with a potential fine if they come clean about the breach

  3. Wensleydale Cheese

    It's a start

    "An ICO investigation found that Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors."

    At last we have an official recommendation for regular penetration testing.

    I don't think I've seen one of those before, except buried somewhere in a lengthy post mortem.

    1. Richard 12 Silver badge

      Re: It's a start

      This is a lengthy post mortem, so...

    2. Adam 52 Silver badge

      Re: It's a start

      At first glance the pen testing bothered me. I've never considered pen testing to be a mandatory security feature, certainly to the point that failing to pen test is criminal (a huge bar).

      But the ICO's point was that pen testing is part of the PCI compliance that the company claimed to have. So they were effectively lying about their PCI compliance.

    3. Lotaresco

      Re: It's a start

      "At last we have an official recommendation for regular penetration testing.

      I don't think I've seen one of those before, except buried somewhere in a lengthy post mortem.

      ?

      I think you haven't been paying attention in that case. The publicity about penetration testing from Cabinet office, GDS and the Government Cyber Essentials Scheme has been constant for the last four years at least. Also the PCI DSS rules require an organisation taking payment by credit card to undergo a penetration test at least annually. These bozos were lazy, incompetent and were breaking the rules that all merchants must apply when handling credit card payments and processing card holder details.

  4. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Zero day...

    To be honest, we may as well all give up now if this is going to be the attitude of the enforcers. I can guarantee that with 100% motivation, fully financed, and with no distractions I could take down and breach pretty much any internet facing system... and I am not even that good.

    Basic data protection methods should be enforced and punishable, but beyond that, how do you protect against the unknown?

    1. CentralCoasty
      FAIL

      Re: Zero day...

      The fine is nasty - but the main criticism seems to be related to fairly basic technical issues that any BOFH or like-minded geek would have seen as the bleedin obvious!

      If it was run by techy nerds they should have known better and deserve the hard slap.

      More likely it was run by salesmen who ignored their technical people (if they even had any as they may have just "outsourced" any tech type stuff as needed) - in which case they also deserve everything they got.

    2. Richard 12 Silver badge

      Re: Zero day...

      They're being fined because they didn't take even basic measures to protect their systems.

      As is usual for risk-based law, this is all about what is "reasonably practicable".

      So if you store CVV numbers for more than a second, you're guilty as ****.

      If you follow industry best practice but still get hacked, then you're not guilty.

      If you fail to keep up with best practice, you're guilty.

    3. Loud Speaker

      Re: Zero day...

      how do you protect against the unknown?

      If you think SQL injections are "the unknown" then you probably should not be commenting on computer security. You certainly should not be setting up internet facing systems.

    4. Lotaresco

      Re: Zero day...

      "how do you protect against the unknown?"

      Getting your web payment site hacked is not "the unknown" it's the "all too bloody obvious even to a moron". Taking very basic steps to lock down systems and separate payments/finance and personal data from the customer-facing sites is also not unknown. It's just appropriate business practice. People who think that because they don't know how to design a secure e-commerce site that no one does are suffering from a massive does of Dunning-Kruger syndrome.

    5. hmv Bronze badge

      Re: Zero day...

      What zero day?

      You protect against the unknown by following security best practice (which these bozos didn't).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019