ICO fines Think W3 £150,000
On the 23rd July 2014, the ICO web site listed this monetary fine issued to travel company Think W3 who become the 33rd organisation to be fined since the ICO started to use its powers to fine organisations for contravening the DPA.
What I find most interesting about this fine is, that in my mind it represents the first fine that is not just about omitting to do something simple like not disposing of equipment securely, or not encrypting a portable device. This fine is essentially for a number of failings related to the security of a web application and the infrastructure that it was using. The first item listed is that the website login page coding was not secure.
This in itself is very significant; I have previously commented on the fact that the ICO, not only goes for the low hanging fruit, but that it doesn't necessarily have staff who are technical enough in their training to understand what the real security failings are.
Now I'm not suggesting that this case was actively identified by the ICO, as it wasn't! It was yet another self notification. Nor am I suggesting that the ICO staff undertook their own technical investigation and found out what the technical issues were independently of the defending organisation's investigation, because in this instance, the company was actually open, sharing the results of its own investigation with the ICO.
What I am saying though is that the ICO could see from the details provided, that failing to secure a web site, be it for a lack of secure coding practices, or for putting internal data on an internet facing web server on a single machine, etc. etc. is something that is unacceptable in this day and age when everything is put onto the internet.
It is difficult for me not go into the details here when you can read them directly on the ICO web site here, but I really cannot over emphasize how significant it is for the ICO to be issuing such a fine for something beyond the very obvious and basic omissions of the past.
I have often wondered how long will it take before the ICO moves on to the next higher level of consumer expectation that organisations should adequately protect their data. We have to move on from the very basics to the more technical. And this case is possibly the first to move into that direction.
I hope organisations will take note that the level of security that the ICO is expecting is no longer just about encrypting data, it is also about access to your data, and the infrastructure. So when you, your client's or anyone you are working with is looking to hire a third party to code its web site, secure coding must be a requirement that is high up on the list and certainly up there with how good it looks, or how usable it is. How many organisations can truly boast that they have been doing this already?
The other interesting aspect about this is that it is directly in line with the Government's new Cyber Essentials Scheme which the Government is mandating for all its third party suppliers. Part of the Assessment does require a Penetration Test (the Cyber Essentials Plus).
I have spoken about this at several events and will write more about it soon, and at STORM we are likely to hold briefing seminars in the next few months on this very important topic. Watch this space!