Construction Materials Online Ltd (CMO) operated a website enabling customers to purchase building products online. A customer could enter their card details to make a purchase, which were then encrypted and sent directly to an external payment system. The website was developed by a third party. CMO was unaware that login pages contained a coding error which left it vulnerable to attack. On 6 May 2014, an attacker used a common hacking technique to access 669 unencrypted cardholder details including names, addresses, account numbers and security codes.

The seventh data protection principle, at Schedule 1 to the Data Protection Act 1998, states that measures shall be taken against accidental loss or destruction of, or damage to, personal data.

An investigation by the Information Commissioner’s Office (ICO) found CMO did not have the appropriate technical measures in place against the unauthorised or unlawful processing of personal data in contravention of the seventh data protection principle.

CMO was fined £55,000 under section 55 of the Data Protection Act 1998.

Chris Evans, Consultant

This briefing was posted on 8 May 2017.