Connecting North West business to relevant training, insight, conversation and each other

Small firms in data security warning

Napthens - May 18th 2017

Phil Brown, a specialist technology lawyer at regional law firm Napthens, is urging small businesses to regularly review their cyber security.

Phil warns that many consider such security only an issue for large businesses, but recently a smaller online retailer was hit with a £55,000 fine by the Information Commissioners Office (ICO) following a security breach.

The retailer, Construction Materials Online (CMO) Ltd, was fined after hackers gained access to 669 customer cardholder records.

Reports say that the CMO had engaged a developer to build its website in 2009, but it contained a vulnerability that enabled hackers to gain access to user names and passwords. In 2014 the attacker modified the payment pages and gained access to the hundreds of unencrypted cardholder details, including name, address, account number and security code.

Ultimately the ICO found the business had failed in its duty to put in place appropriate technical measures to protect the security of personal data and, in particular, that it had:

  • Failed to carry out regular testing on its website that should have detected the error; and
  • Failed to ensure that its admin passwords were sufficiently complex to be resistant to a brute force attack.

Phil said: “CMO was not accused of any deliberate wrongdoing, but the nature of the attack is well understood, and the company had not taken any action to regularly secure the site.

“This meant that the business ought reasonably to have known of the risk and that any such attack could cause substantial damage or distress by the unauthorised use of the financial information.

“CMO only found out about the breach in 2015 when it received complaints and it began substantial remedial action and notified all affected customers.

“This case highlights that it is not just large businesses which face such risks of security breaches, but small ones too.

“The nature of modern commerce means there is no excuse for not properly protecting customer information, and every business should regularly review their cyber security.

“This will become even more important from May 2018 once the General Data Protection Regulation, or GDPR, comes into effect – setting out even stricter rules on data controllers and processors and introducing even larger fines.”