All the latest UK technology news, reviews and analysis


Racing Post slammed by ICO for poor website security after major breach

28 Aug 2014
Racing Post has been chided for losing control of its website security

The Racing Post has been chided by the Information Commissioner’s Office (ICO) for poor website security in light of an attack last year that compromised details on 677,335 users. However, the company has not been fined.

The attack occurred in November 2013 when the website said it was hit by a “sophisticated, sustained and aggressive attack”. Data including usernames, first and last names, passwords, emails, and dates of birth were all taken, although no financial information was compromised.

The ICO said that, despite being the victim of an attack, the website had done little to protect itself pre-emptively.

Its report found the company had carried out no penetration testing on its site since 2007 and failed to apply security patches. This left vulnerabilities open that the attacker exploited using an SQL injection.

The ICO also said that passwords were stored unsalted, something it declared “not appropriate” and this added to its belief the website had little understanding of how it should be protecting its users.

“Overall the commissioner determined that the data controller had not displayed an understanding of good security practice, nor the real risk presented by an internet-
based attack," the report stated.

ICO head of enforcement Stephen Eckersley said companies had to accept their responsibilities to be ready for cyber attacks, something Racing Post failed to do.

“There is barely a day that goes by without a company being the target of an online attack. This is the modern world and businesses and other organisations must have adequate security measures in place to keep people’s information secure," he said.

“The Racing Post pulled up short when it came to protecting their customers’ information by failing to keep their IT systems up-to-date."

The company has now signed an undertaking to improve it security practices and test them out on a regular basis.

V3 contacted the Racing Post for comment on the ICO's report but had received no reply at the time of publication.

Eckersley said the incident should serve as a warning to all businesses that poor IT security practices will be exploited by cyber crooks, as also witnessed by a similar attack that took place on high-street retailer Lakeland in 2013.

The report comes in the same week the ICO fined the Ministry of Justice £180,000 for failing to properly educate prison staff on how to use encryption on hard drives. This meant a lost device put the details of almost 3,000 prisoners at risk.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Dan Worth
About

Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal

View Dan's Google+ profile

More on Law
What do you think?
blog comments powered by Disqus
Poll

IT curriculum poll

With coding now compulsory in schools, how important are digital skills for the next generation of school leavers?
64%
8%
19%
9%

Popular Threads

Powered by Disqus
V3 Security Summit

V3 Security Summit Day 2: Botnet, skills and BYOD intelligence incoming

Keep V3 bookmarked for news updates on all the key security concerns and topics facing businesses

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Online Affiliate Manager (Bangkok)

Online Affiliate Manager (Bangkok) Company: Our client...

Solutions Architect - Infrastructure

Job title: Solution Architect - Infrastructure Location...

Software Engineers - L2/L3 SDN, NFV, C++

We have requirment for Software Engineers for one of...

Retail Banking Business Analyst

Retail Banking Business Analyst My client's start...
To send to more than one email address, simply separate each address with a comma.