Last year hackers breached the website of UK newspaper the Racing Post and made off with a whole heap of personal information belonging to over 677,000 customers.
The October attack saw names, addresses, dates of birth, telephone numbers and passwords exposed but the Racing post will not be fined says the Information Commissioner’s Office (ICO).
The ICO said its decision not to levy any financial penalty on the newspaper was a close one, perhaps because its security was found to have been so lax – an investigation discovered that the last penetration test was run in 2007, six years before the SQL injection attack that led to the compromise.
The attack took advantage of existing vulnerabilities in the racingpost.com website which allowed the hackers to access the company’s database of registered users.
The ICO investigation revealed that security around both the website and the customer database was lacking.
Not only had penetration testing ceased in 2007, but regular security patches had been missed since that time too.
ICO Head of Enforcement, Stephen Eckersley, said:
“There is barely a day that goes by without a company being the target of an online attack. This is the modern world and businesses and other organisations must have adequate security measures in place to keep people’s information secure.
“The Racing Post pulled up short when it came to protecting their customers’ information by failing to keep their IT systems up-to-date. This data breach should act as a warning to all businesses that poor IT security practices are providing an open invitation to your customers’ details.”
The Racing post has now signed an undertaking in which it acknowledged its previous lapses and promised it would try to do better in the future.
The Commissioner will now keep a close eye on the Racing Post which will in turn endeavour to keep its security practices current, as well as upgrade from the woefully inadequate unsalted password system it had in place for customers.
Assuming the Commissioner is content with the progress made, no fine will be imposed, saving the Racing Post a potential penalty of up to £500,000 which it could expect for a breach of the Data Protection Act.
(Personally I think this is far too lenient and I do not believe the ICO goes as far as it perhaps could to actually make organisations sit up and think about the consequences of a breach – what do you think?)
Meanwhile punters may wish to investigate the security measures employed by the online establishments they frequent following the news last month that Irish bookmaker Paddy Power was breached with the resulting loss of almost 650,000 customer records. In that case, the bookmaker took a whopping 4 years to declare the incident which one can only assume would have given the bad guys plenty of time to make use of the information in all manner of ways.