ICO Instructs Site to Bolster Security

Horse Racing Site to Conduct Routine Testing Post-Breach
ICO Instructs Site to Bolster Security

A horse racing website based in the U.K. has agreed to conduct routine testing and ensure security updates are regularly applied following a data breach in October 2013 that impacted more than 677,000 user accounts.

See Also: The Alarming Data Security Vulnerabilities Within Many Enterprises

An investigation by the U.K. Information Commissioner's Office found that the website, Racing Post, failed to apply up-to-date security patches, which led to cyber-attackers exploiting a vulnerability in the website via an SQL injection attack, allowing them to gain access to the company's database of registered customers.

Information compromised in the breach included names, addresses, passwords, dates of birth and telephone numbers.

The company had carried out penetration tests on its website in 2007, but neglected to make subsequent security updates, the ICO says.

"There is barely a day that goes by without a company being the target of an online attack," said Stephen Eckersley, ICO's head of enforcement. "This is the modern world and businesses and other organizations must have adequate security measures in place to keep people's information secure."

Under an agreement with the ICO, Racing Post will work to improve its compliance with the Data Protection Act by introducing routine security testing and having a policy in place to ensure security updates are regularly applied by Feb. 28, 2015.

The ICO, in a May 2014 report on protecting personal information, identifies steps organizations can take to mitigate the risks of an SQL injection, such as:

  • Be aware of the assets that might be vulnerable to SQL injection;
  • Ensure that website coders are aware of SQL injection risks and avoid coding flaws that could lead to an attack; and
  • Consider procuring independent security testing.

No Fine

The ICO has the ability to issue monetary penalties up to £500,000 for serious breaches of the Data Protection Act.

In the Racing Post case, a penalty was not handed down because an investigation found that financial information for the website's customers was not compromised, the ICO says.

The ICO announcement comes just days after the UK's Ministry of Justice was fined £180,000 following the loss of two unencrypted hard drives containing personal information on prisoners (see: Ministry of Justice Fined for Breaches).


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.