SME Fined £60K

Posted on by

As British SME company is fined 60k, and the ICO promises that none will be spared!

A games company have been fined, as an example that any company, big or small, who break the rules will be dealt with accordingly says ICO.

The Information Commissioner’s office (ICO) has sent a message to SMEs by fining the small Northampton games company for failing to prevent a data breach.  Fined

Sally Anne Poole, enforcement officer for the ICO said in a statement, “regardless of your size, if you are a business that handles personal information then data protection laws apply to you.”

Boomerang Video Ltd, a Northampton-based company which trades under the name Boomerang, offers a video games rental service. Starting business in 2005, a third party built its website with, unbeknownst to Boomerang, a coding error within the login page.

Boomerang Video was assailed on 5 December 2014 with an SQL injection attack. The attacker then uploaded malware and got into its database. By the end of the month, It could access the names, addresses, primary account numbers and card expiry dates and security codes of 26,331 customers of Boomerang.

Though some of those account numbers were stored unencrypted, the attacker used information from the web server to decrypt the rest, the ICO said, “with ease”.

Boomerang did not realise this until January 9th 2015 when customers alerted them to the fraudulent use of their cards. Boomerang eventually received more than1,000 enquiries and complaints surrounding the breach.

Stressed FinedThe Information Commissioner resolved that Boomerang had failed to prevent unauthorised access to that data. The company had not carried out regular penetration testing, had not kept its decryption key secure and did not set a password hard enough for the hackers to be unable to crack.  These practices, the ICO established, had been going on since 2005, since the site was created.

Poole added that, “for no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening. I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”

The ICO also warned that fines could be a lot higher under the EU General Data Protection Regulation (GDPR), which is set to come into force on 25th May 2018.