An online building products supplier Construction Materials Online Ltd (CMO) has been fined £55,000 by the Information Commissioner’s Office after the firm failed to protect its customers’ personal information.
CMO was completely unaware that its website contained a coding error which left it vulnerable to attack by using a common hacking technique called an SQL injection. On 6 May 2014 an attacker used the SQL injection to access 669 unencrypted cardholder details including names, addresses, account numbers and security codes.
Head of Enforcement at the ICO, Steve Eckersley said: “When people handed over their personal financial information, they rightly expected it to be safe. Construction Materials Online did not keep it safe and, as a result, exposed its customers to potential fraud. Its failure to make cyber security a top priority has proved a costly mistake.”
An investigation by the Information Commissioner’s Office discovered CMO did not have the appropriate technical measures in place to prevent the attack and this was subsequently a breach of the Data Protection Act. A copy of the fine can be viewed here.