All the latest UK technology news, reviews and analysis


Racing Post slammed by ICO for poor website security after major breach

28 Aug 2014
Racing Post has been chided for losing control of its website security

The Racing Post has been chided by the Information Commissioner’s Office (ICO) for poor website security in light of an attack last year that compromised details on 677,335 users. However, the company has not been fined.

The attack occurred in November 2013 when the website said it was hit by a “sophisticated, sustained and aggressive attack”. Data including usernames, first and last names, passwords, emails, and dates of birth were all taken, although no financial information was compromised.

The ICO said that, despite being the victim of an attack, the website had done little to protect itself pre-emptively.

Its report found the company had carried out no penetration testing on its site since 2007 and failed to apply security patches. This left vulnerabilities open that the attacker exploited using an SQL injection.

The ICO also said that passwords were stored unsalted, something it declared “not appropriate” and this added to its belief the website had little understanding of how it should be protecting its users.

“Overall the commissioner determined that the data controller had not displayed an understanding of good security practice, nor the real risk presented by an internet-
based attack," the report stated.

ICO head of enforcement Stephen Eckersley said companies had to accept their responsibilities to be ready for cyber attacks, something Racing Post failed to do.

“There is barely a day that goes by without a company being the target of an online attack. This is the modern world and businesses and other organisations must have adequate security measures in place to keep people’s information secure," he said.

“The Racing Post pulled up short when it came to protecting their customers’ information by failing to keep their IT systems up-to-date."

The company has now signed an undertaking to improve it security practices and test them out on a regular basis.

V3 contacted the Racing Post for comment on the ICO's report but had received no reply at the time of publication.

Eckersley said the incident should serve as a warning to all businesses that poor IT security practices will be exploited by cyber crooks, as also witnessed by a similar attack that took place on high-street retailer Lakeland in 2013.

The report comes in the same week the ICO fined the Ministry of Justice £180,000 for failing to properly educate prison staff on how to use encryption on hard drives. This meant a lost device put the details of almost 3,000 prisoners at risk.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Dan Worth
About

Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal

View Dan's Google+ profile

More on Law
What do you think?
blog comments powered by Disqus
Related jobs
Poll

Tech gifts for Christmas 2014

Is a new tablet on your wish list this festive season, or have they become yesterday’s fad?
12%
22%
12%
6%
48%

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Operational DBA

Operational Database Administrator / SQL server DBA...

Junior Digital Project Manager

Junior Digital Project Manager Our client a forward...

C# Developer (WPF, ACF, ASP.NET, MVC) London - Finance London

C# Developer (WPF, ACF, ASP.NET, MVC) London - Finance...

C++ Developer- Unix / Oracle / Mysql /

C++ Developer - West London C++ Developer urgently...
To send to more than one email address, simply separate each address with a comma.