A small company, which suffered a cyberattack, was fined 60,000 by the ICO. Boomerang Video Ltd., based in Berkshire, was subject to a cyberattack in 2014, in which 26,331 customer details were able to be accessed. The ICO's investigation found that it had failed to take basic steps to protect its customers' information from a cyberattack. Failures included not carrying out regular penetration testing on the company's website and holding encrypted cardholder details and CVV numbers on its web server for longer than necessary. The ICO's ruling makes clear that any business that handles personal information must comply with data protection laws, irrespective of its size.