The Information Commissioner’s Office (ICO) has concluded investigations into the online building products supplier, Construction Materials Online Limited (CMO), for breaching data protection principles.
The investigation first began when the online company was hacked back in May 2014.
Cyber criminals managed to identify a security vulnerability and performed an SQL injection into the company’s customer database. This method is commonly used for both destroying databases and stealing information, and in this case, it was to steal bank details from hundreds of customers.
The hackers successfully gained access to 669 customers’ details which included:
- Full names;
- Postal addresses;
- Bank account numbers;
- Security codes.
The compromised information was not encrypted.
Whilst companies may not expect iron clad security systems that are 100% secure, they do expect organisations to implement comprehensive security systems to hinder and prevent malicious hacking. According to the ICO, the CMO’s own website “contained a coding error which left it vulnerable to attack”.
This vulnerability was clearly taken advantage of.
Cyber security still not being taken seriously
As with a lot of businesses, the focus is often on getting customers and making profits, with cyber security sometimes ending up at the bottom of the pile of priorities. However, in today’s increasingly digital world, cyber security needs to be as important as making sure a gadget shop’s locks are in working order.
CMS didn’t test for vulnerabilities
Part of the ICO’s findings revealed that CMO didn’t carry out any penetration testing to check for weak spots. More security savvy companies may conduct penetration tests by asking an independent security expert to try and hack into their systems. If successful, they can patch up the weak points without risking their data to a malicious third party.
In its thorough investigation, the ICO found that CMO “did not have the appropriate technical measures in place to prevent the attack” and was therefore found in breach of data protection laws. The ICO recognises that the security flaw was more of an “oversight than an intentional attempt to bypass the law”. At the end of the day, though, there is no excuse for putting hundreds of customers at risk of potential fraud and associated dangers, and the CMO has been issued with a £55,000 fine as a result.
CMO criticised
Steve Eckersley, Head of Enforcement at the ICO, criticised the online company’s failure in its duty towards their customers:
“When people handed over their personal financial information, they rightly expected it to be safe. Construction Materials Online did not keep it safe and, as a result, exposed its customers to potential fraud. Its failure to make cyber security a top priority has proved a costly mistake.”
Ongoing risks for victims
Even though the ICO has completed its investigations and a penalty fine has been issued, the risks can remain ongoing for customers. As with the majority of data leaks, the compromised information may keep customers at risk as long as the information is still valid.
Customers of CMO are being urged to be vigilante of any suspicious activity.