Learn why a simple penetration test could have avoided a £60k fine

The ICO has issued a £60,000 fine to Boomerang Video Ltd after it suffered a cyber attack.

By Roz Woodward

An investigation by the ICO found the Berkshire-based company failed to take basic steps to stop its website being attacked. The ICO found that the company had failed to carry out regular penetration tests which should have detected the website vulnerability.

What happened?

Boomerang Video operates a website that enables customers to rent video games via a payment web application. The website had been developed by a third party and Boomerang Video was unaware that the login page contained a coding error which led to it being vulnerable. On 27th of June 2017, the Information Commissioners Office (ICO) fined Boomerang Video £60,000 after it failed to take basic measures against a cyber attack that resulted in the disclosure of over 26,000 cardholder details.

Why did it happen?

In late 2014, an attacker used an exploit known as a MySQL injection to gain access to usernames and password hashes for the WordPress section of Boomerang Video’s website. One password was discovered to be a simple variation of the company name, and then facilitated the uploading of a malicious file onto the web server. From there, the attacker was able to fully compromise the system and gain access to the personal data inside.

What is a MySQL injection?

A MySQL injection is an old, yet surprisingly common vulnerability. So common, in fact, that OWASP have declared it the number one web application security risk of the year. And not for the first time.

Why did the ICO decide Boomerang were responsible?

The Information Commissioner found that Boomerang Video failed to take appropriate measures against “the unauthorised or unlawful processing of personal data in contravention of the seventh data protection principle” of the Data Protection Act. In particular, citing their lack of regular penetration tests and weak password as justification.

The Commissioner finds that…. Boomerang Video did not have in place appropriate technical measures for ensuring so far as possible that such an incident would not occur, i.e. for ensuring that the personal data stored on the customer database could not be accessed by an attacker performing an SQL injection attack.

In particular:

(a) Boomerang Video failed to carry out regular penetration testing on its website that should have detected the error.

(b) Boomerang Video failed to ensure that the password for the WordPress account was sufficiently complex to be resistant to a brute-force attack on the stored hash values.

(c) Boomerang Video failed to keep the decryption key secure and prevent it being accessed by the attacker.

This was an ongoing contravention from 2005 when the website was developed by the data processor until Boomerang Video took remedial action on 12 January 2015.

Why was the password so weak?

Almost all websites store passwords as hashes, or one-way cryptographic strings. This means even if they’re accessed, the attacker cannot see the plain text password. However, by hashing a list of probable passwords, it’s possible to determine the password by simply finding a hash that matches. In this case, one password was a shown to be a simple dictionary word based on the company name possibly taking minimal effort to crack.

How could regular penetration tests have prevented this?

Penetration tests are designed to seek out vulnerabilities before attackers do by simulating an attack on your network or website. Regular penetration tests, help to ensure you identify any vulnerabilities before they are found and exploited by hackers. Having regular Penetration tests also help demonstrate to the ICO that you are taking positive steps to secure your website if you ever find yourself in the unfortunate situation of suffering a breach.

Aggravating features of this case:

Though the commissioner was presented with mitigating features such as the website being subject to a criminal attack and the substantial remedial action that has now been taken, the commissioner issued a monetary penalty because of the following aggravating features;

  • Boomerang Video was not aware of this security breach until 9 January 2015 when it was notified by its customers
  • Boomerang Video assessed itself to be compliant with the “Payment Card Industry Data Security Standard” despite failing to carry out penetration testing on its website.
  • Boomerang Video received approximately 1,100 complaints and enquiries as a result of this security

What can businesses learn from this?

The key thing organisations need to do is to take ownership – consider the risks to the data they hold and put adequate steps in place to protect it, which in this case included having a penetration test, using complex passwords and ensuring they were PCI DSS Compliant.

Read the full monetary penalty notice below

[pdf-embedder url=”//securious.co.uk/wp-content/uploads/2017/07/mpn-boomerang-video-ltd.pdf”]