The Information Commissioner’s Office have issued a £60,000 fine to videogame rental company Boomerang (Boomerang Video Ltd.) this month, following an investigation into a breach of its customer database. It has been found that, by “ fail[ing] to carry out regular penetration testing on its website”, Boomerang’s website was vulnerable to SQL Injection and data stored (including payment details of customers) could be decrypted.
According to the ICO, the company did not meet the required compliance to take payments and handle customers’ credit details used to make payments, as stated in the full report of this case, that:
Boomerang Video assessed itself to be compliant with the “Payment Card Industry Data Security Standard” despite failing to carry out penetration testing on its website.
Penetration Testing is a service carried out by an Ethical Hacker, which examines the security of an online location (such as an application, network, website or URL) against external attacks. This examination is carried out by simulating an attack to identify where vulnerabilities lie, and improving the resilience of the tested target, with recommendations by penetration testers being made to fix security flaws and remediate any vulnerabilities which could affect the compliance or integrity of the location(s) tested.
Sources:
Enforcement Information from the Information Commissioner’s Office, Information Commissioner’s Office website, https://ico.org.uk/action-weve-taken/enforcement/
Boomerang Video Ltd monetary penalty notice, Information Commissioner’s Office website, https://ico.org.uk/media/action-weve-taken/mpns/2014300/mpn-boomerang-video-ltd.pdf
UK Firm Gets £60K Fine After Pen Test Failure, infosecurity magazine, https://www.infosecurity-magazine.com/news/uk-firm-gets-60k-fine-after-pen/