The Racing Post has been chided by the Information Commissioner’s Office (ICO) for poor website security in light of an attack last year that compromised details on 677,335 users. However, the company has not been fined.
The attack occurred in November 2013 when the website said it was hit by a “sophisticated, sustained and aggressive attack”. Data including usernames, first and last names, passwords, emails, and dates of birth were all taken, although no financial information was compromised.
The ICO said that, despite being the victim of an attack, the website had done little to protect itself pre-emptively.
Its report found the company had carried out no penetration testing on its site since 2007 and failed to apply security patches. This left vulnerabilities open that the attacker exploited using an SQL injection.
The ICO also said that passwords were stored unsalted, something it declared “not appropriate” and this added to its belief the website had little understanding of how it should be protecting its users.
“Overall the commissioner determined that the data controller had not displayed an understanding of good security practice, nor the real risk presented by an internet-
based attack," the report stated.
ICO head of enforcement Stephen Eckersley said companies had to accept their responsibilities to be ready for cyber attacks, something Racing Post failed to do.
“There is barely a day that goes by without a company being the target of an online attack. This is the modern world and businesses and other organisations must have adequate security measures in place to keep people’s information secure," he said.
“The Racing Post pulled up short when it came to protecting their customers’ information by failing to keep their IT systems up-to-date."
The company has now signed an undertaking to improve it security practices and test them out on a regular basis.
V3 contacted the Racing Post for comment on the ICO's report but had received no reply at the time of publication.
Eckersley said the incident should serve as a warning to all businesses that poor IT security practices will be exploited by cyber crooks, as also witnessed by a similar attack that took place on high-street retailer Lakeland in 2013.
The report comes in the same week the ICO fined the Ministry of Justice £180,000 for failing to properly educate prison staff on how to use encryption on hard drives. This meant a lost device put the details of almost 3,000 prisoners at risk.
Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal.