SMEs are being urged to take note after a company hit by a聽cyber attack was slapped with a 拢60,000 fine by the Information Commissioner鈥檚 Office.
An investigation found Berkshire-based Boomerang Video Ltd failed to take basic steps to stop its website being attacked.
Sally Anne Poole, ICO enforcement manager, said: 鈥淩egardless of your size, if you are a business that handles personal information then data protection laws apply to you.
鈥淚f a company is subject to a cyber attack and we find they haven鈥檛 taken steps to protect people鈥檚 personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.鈥
She added: 鈥淏oomerang Video failed to take basic steps to protect its customers鈥 information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.鈥
The video game rental firm鈥檚 website was subject to a cyber attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as SQL injection to access the data.
The ICO鈥檚 investigation found Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors.
The firm also failed to ensure the password for the account on the WordPress section of its website was sufficiently complex.
It also had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure.
Encrypted cardholder details and CVV numbers were also held on the web server for longer than necessary.
Ms Poole said: 鈥淔or no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.
鈥淚 hope businesses learn from today鈥檚 fine and check that they are doing all they can to look after the customer information in their care.鈥
The ICO has a range of guidance available to help businesses ahead of the implementation of GDPR on 25 May 2018.
This includes website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations.