Unfortunate building supplier fine outlines why SMEs need to prioritise cyber security

Published on: 3 May 2017

An online building products supplier has been fined £55,000 after failing to protect personal information of its customers sufficiently.

Plymouth-based Construction Materials Online Ltd (CMO) was unaware its website contained a coding error that left it vulnerable to attack.

In May 2014, an attacker used an SQL injection - a common hacking technique - to access 669 unencrypted cardholder details including names, addresses, account numbers and security codes.

It later emerged that the firm did not have the appropriate technical measures in place to prevent the attack, which meant it breached the Data Protection Act.

Steve Eckersley, head of enforcement at the Information Commissioner’s Office (ICO), which investigated and eventually fined CMO, said: “When people handed over their personal financial information, they rightly expected it to be safe. Construction Materials Online did not keep it safe and, as a result, exposed its customers to potential fraud.

“Its failure to make cyber security a top priority has proved a costly mistake.”

The ICO was satisfied that CMO’s failure to keep customer details safe was an oversight rather than an intentional attempt to bypass the law.

However, Mr Eckersley said CMO’s example should demonstrate that cyber security should be a top priority for businesses of all sizes.

“This fine must serve as a warning to other small and medium-sized firms that the security of their customers’ personal information must come first,” he concluded.