Yesterday the Information Commissioner fined Construction Materials Online Ltd. (CMO) £55,000 for a cyber breach.
CMO are an online building material supplier based in Plymouth. Their balance sheetfor year ending December 2016 showed a net worth ofjust over £1million. The £55,000 fine therefore represents 5% of the value of the company, an amount not to be taken lightly by any size business, but representative of the sorts of fines to be expected under the new General Data Protection Regulations (GDPR).
The commissioner found that appropriate technical and organisational measures had not been taken, resulting in a coding error on the login page of their WordPress Website going un-noticed. Attackers exploited the vulnerability in the form of a SQL Injection attack in order to glean usernames and passwords and subsequently uploaded a malicious Web shell.
669 unencrypted cardholder details were accessed including names, addresses, account numbers and security codes. The commissioner’s statement contains a very poignant statement of which all small businesses should take heed:
“The commissioner considers that in this case CMO did not deliberately contravene the DPA in that sense. She considers that the inadequacies outlined above were matters of serious oversight rather than deliberate intent to ignore or bypass the provisions of the DPA.
The commissioner has gone on to consider whether CMO knew or ought reasonably to have known that there was a risk that this contravention would occur. She is satisfied that this condition is met, given that CMO was aware of the financial information that was processed on its Website.”
CMO notified the data subjects so that fraudulent transactions could be intercepted. Had that not have been the case under the new GDPR regulation there would be a separate fine for that alone.
Security specialists like Unity Metrix can audit your business and help you understand your specific threat landscape and vulnerabilities before they are exploited. You might then ‘Take reasonable steps to prevent the contravention’
Lessons to be learned:-
- It doesn’t matter that you are only a small business, GDPR will apply
- It doesn’t matter if a contravention is not deliberate; it’s a contravention
- You should not rely on your Web designer alone to secure a Website
- A security Audit uncovers these sorts of vulnerabilities