4th May 2017

A firm supplying building products on line has been fined £55,000 for failing to protect its customers’ personal information, after a hacker was able to exploit a coding error on its website to access unencrypted cardholder details such as names, addresses, account numbers and security codes.

Construction Materials Online Limited (CMO) of Plymouth was unaware of the coding error, which allowed the cyber bandit to use the common ‘SQL injection’ hacking technique to access the data.

‘Construction Materials Online Ltd monetary penalty notice’ explains how an investigation by the Information Commissioner’s Office revealed that the firm did not have the appropriate technical measures in place to prevent the attack.

It failed to carry out regular penetration testing on its website that should have detected the vulnerability and also failed to ensure its own system passwords were sufficiently complex.

While CMO was in breach of the Data Protection Law. the investigation identified that the firm’s failure to keep customers’ personal data safe was an oversight, rather than an attempt to by-pass the law.