Retailer fined after payment card details exposed in cyber attack

The Information Commissioner's Office (ICO) said Plymouth-based business Construction Materials Online (CMO) had failed to adequately secure the personal data and that it was responsible for a serious breach of the Data Protection Act.

The breach occurred after a hacker exploited "a coding error" with CMO's website, which was developed by a third party.

According to the monetary penalty notice (16-page / 2.83MB PDF) served by the ICO, a hacker was able to exploit the security vulnerability on 6 May 2014 to "access 669 unencrypted cardholder details at the point of entry to the website". The data accessed included names, addresses, account number and security codes, it said. Some of the data was used for "fraudulent purposes", although CMA notified the individuals affected to ensure the fraudulent transactions were "intercepted", the watchdog said.

The ICO said CMO was in breach of its data security obligations from September 2009 until 16 January 2015 when the company "took remedial action" after being notified of the breach by a customer. The ICO highlighted a lack of "regular penetration testing" and insufficiently complex passwords as examples of the data security failings of the company.

Steve Eckersley, the ICO's head of enforcement, said: "When people handed over their personal financial information, they rightly expected it to be safe. Construction Materials Online did not keep it safe and, as a result, exposed its customers to potential fraud. Its failure to make cyber security a top priority has proved a costly mistake."

"It’s not just large, household-name companies that have to consider cyber security. Cyber security must be a top priority for businesses regardless of size. This fine must serve as a warning to other small and medium-sized firms that the security of their customers’ personal information must come first," Eckersley said.