The ICO has fined an online building products supplier 55,000 for failing to protect its customers' personal information. The website of Construction Materials Online Ltd (CMO) contained a coding error which made it vulnerable to cyber-attack.
A hacker exploited this vulnerability to access the unencrypted details of 669 cardholders. The ICO found that CMO had breached its obligation as a data controller under the seventh data protection principle of the Data Protection Act 1998 to use appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data. In particular, the ICO highlighted the failure of CMO to carry out regular penetration testing on its website and its failure to ensure that passwords for its relevant online accounts were sufficiently complex to resist a "brute-force attack". The ICO considered the breaches to be serious enough to justify the imposition of a monetary penalty of 55,000.