Racing Post dodges ICO data breach fines

Chief executive forced to sign a publicised contract to improve company's data security instead

The Racing Post will not have to pay a fine following the breach of 700,000 customer details last year, the Information Commissioner's Office has said.

The racing magazine and website has instead come to an "agreement" with the ICO, which will see it put better security measures in place by early next year. The ICO has the power to fine organisations up to £500,000 for a breach of the Data Protection Act.

Hackers used an internet-based SQL injection attack on the website to gain access to the newspaper's customer database in an attack last year.

Customers' names, addresses, passwords, date of birth and telephone numbers were accessed. No financial information was compromised.

The company carried out penetration testing in 2007, but had not applied any up-to-date security patches since then.

Following an investigation, the ICO "found problems" with the way the company stored its customers' details. The company had no regular security testing in place, the ICO said.

The stored customer passwords as un-salted MD5 hash values, which the commissioner deemed "not appropriate".

MD5 Hash is an encryption that has become increasingly easy to crack due to published advice on blogs and discussion boards online.

At the time of the attack, the Racing Post told its customers in a post on its website that it had been victim to a "sophisticated, sustained and aggressive" hack.

ICO Head of Enforcement, Stephen Eckersley, said: "There is barely a day that goes by without a company being the target of an online attack. This is the modern world and businesses and other organisations must have adequate security measures in place to keep people's information secure.

"The Racing Post pulled up short when it came to protecting their customers' information by failing to keep their IT systems up-to-date. This data breach should act as a warning to all businesses that poor IT security practices are providing an open invitation to your customers' details."

The Racing Post is owned by a Dublin-based investment firm, FL Partners. It acquired the magazine in 2007 from Trinity Mirror PLC FOR £165 million.

The ICO published the enforcement document, signed by chief executive, Alan Byrne, on its website last week.

This story, "Racing Post dodges ICO data breach fines" was originally published by Computerworld UK.

Copyright © 2014 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!