Online building products supplier fined £55,000 by ICO after SQL injection attack exposed payment details

Attacker accessed Plymouth-based company's customers' payment details

Construction Materials Online, an online building products supplier, has been fined £55,000 by the Information Commissioner's Office (ICO), after an attacker managed to access cardholder details of its customers, which the company had been storing unencrypted.

The company's website contained a coding error which an attacker used to his or her advantage on 6 May 2014. Using a SQL injection attack, they managed to access 669 unencrypted cardholder details. These details included names, addresses, account numbers and even security codes.

The ICO investigated whether the Plymouth-based company had the appropriate technical measures in place to prevent the attack and found that it did not - which is a clear breach of the Data Protection Act.

The data protection watchdog also found that the supplier had failed to carry out regular penetration testing on its ecommerce website, which would have detected the vulnerability.

It also failed to ensure that its own system passwords were sufficiently complex to resist what the ICO called "a brute-force attack".

Furthermore, the fact it could be cracked via a SQL injection attack also suggests that the software the company was using was not patched up-to-date.

"When people handed over their personal financial information, they rightly expected it to be safe. Construction Materials Online did not keep it safe and, as a result, exposed its customers to potential fraud," said ICO's head of enforcement, Steve Eckersley.

"Its failure to make cyber security a top priority has proved a costly mistake," he added.

However, the ICO said that the CMO's failure to keep customers' [personal data] safe was an oversight rather than an intentional attempt to bypass the law.

Eckersley emphasised that it wasn't just large, household-name companies that have to consider cyber security.

"This fine must serve as a warning to other small and medium-sized firms that the security of their customers' personal information must come first," he said.

Given the failings that aided the attackers, the company would have been looking at a much larger fine post-May 2018 when the EU's General Data Protection Regulation (GDPR) fully comes into force.

After 25 May 2018, companies could be looking at fines of up to four per cent of global turnover for the most egregious IT security and data protection compromises.

Join Computing and Forcepoint at 3pm on 18 May for our joint webinar, "Hybrid networks: Securing digital transformation".

Hybrid networks typically blend traditional MLPS networks with managed broadband and WiFi. They can deliver data where it's needed, to more devices, flexibly, efficiently and reliably.

But, this comes at the price of complexity, and also requires a rethinking of security.

So join Computing and Forcepoint on 18 May where we will look at hybrid networks and alternative approaches to achieve a balance of performance and security: enabling digital transformation to become a reality.