ICO Instructs Site to Bolster SecurityHorse Racing Site to Conduct Routine Testing Post-Breach
A horse racing website based in the U.K. has agreed to conduct routine testing and ensure security updates are regularly applied following a data breach in October 2013 that impacted more than 677,000 user accounts.
An investigation by the U.K. Information Commissioner's Office found that the website, Racing Post, failed to apply up-to-date security patches, which led to cyber-attackers exploiting a vulnerability in the website via an SQL injection attack, allowing them to gain access to the company's database of registered customers.
Information compromised in the breach included names, addresses, passwords, dates of birth and telephone numbers.
The company had carried out penetration tests on its website in 2007, but neglected to make subsequent security updates, the ICO says.
"There is barely a day that goes by without a company being the target of an online attack," said Stephen Eckersley, ICO's head of enforcement. "This is the modern world and businesses and other organizations must have adequate security measures in place to keep people's information secure."
Under an agreement with the ICO, Racing Post will work to improve its compliance with the Data Protection Act by introducing routine security testing and having a policy in place to ensure security updates are regularly applied by Feb. 28, 2015.
The ICO, in a May 2014 report on protecting personal information, identifies steps organizations can take to mitigate the risks of an SQL injection, such as:
- Be aware of the assets that might be vulnerable to SQL injection;
- Ensure that website coders are aware of SQL injection risks and avoid coding flaws that could lead to an attack; and
- Consider procuring independent security testing.
The ICO has the ability to issue monetary penalties up to Â£500,000 for serious breaches of the Data Protection Act.
In the Racing Post case, a penalty was not handed down because an investigation found that financial information for the website's customers was not compromised, the ICO says.
The ICO announcement comes just days after the UK's Ministry of Justice was fined Â£180,000 following the loss of two unencrypted hard drives containing personal information on prisoners (see: Ministry of Justice Fined for Breaches).