OK
Seeing as government and big business have got their act totally together and never ever make such silly mistakes, it's high time the little guys were brought into line /s
A small UK company that suffered a cyber attack has been fined £60,000 by the Information Commissioner’s Office (ICO). An investigation by the ICO found Berkshire-based Boomerang Video failed to take basic steps to stop its website being attacked, a hacking incident that led to the exposure of the personal details of 26,000 …
Your point certainly has some merit morally, but equally it kind of rings of the childish excuse "but everyone else was doing it", just because no-one else is complying with the rules properly doesn't mean it's ok for you not to as well.
There's also an argument that if you're a small operation then you have fewer systems to maintain and therefore securing them, and testing that security should be much simpler.
Big corps have a lot more systems which can be a lot more complex and therefore harder to secure and security test. Not that that is any excuse of course, big corps should also have the resources to tackle such things, either internally or by outsourcing, but it is easier to understand how the odd thing could slip through the net where as in this case it's a small outfit who've failed to take even basic precautions.
On the other hand, SQL Injection was a "zero day" back in the 90s, before the term was even invented!
Sanitizing input for the database has been SOP since the late 90s, there is absolutely no excuse for it in 2017! Any programmer who doesn't check for this in his own testing should be strung up by his short and curlies!
A zero day is different, this is an unknown attack vector at the time the system was implemented / since the last patch. You can't really defend against that, other than making sure that everything else is secure. In that case, you probably won't get a fine.
But failing to check your systems are compliant with Security 101 from the 1999 edition of the guidelines is simply criminal. Not properly securing the private key for encrypted data is dilettantish at best.
"If I got hit by a N Korea ICMB"
An Ice Cream Meringue Bombe? An Insanely Clever Mystical Book?
BTW, you may want to look at this Wikipedia page: List of fallacies
Your argument falls into the categories of "False equivalence" and "Tu quoque" with an element of "Vacuous truth". Quite a haul of fallacies for two sentences.
"An ICO investigation found that Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors."
At last we have an official recommendation for regular penetration testing.
I don't think I've seen one of those before, except buried somewhere in a lengthy post mortem.
At first glance the pen testing bothered me. I've never considered pen testing to be a mandatory security feature, certainly to the point that failing to pen test is criminal (a huge bar).
But the ICO's point was that pen testing is part of the PCI compliance that the company claimed to have. So they were effectively lying about their PCI compliance.
"At last we have an official recommendation for regular penetration testing.
I don't think I've seen one of those before, except buried somewhere in a lengthy post mortem.
?
I think you haven't been paying attention in that case. The publicity about penetration testing from Cabinet office, GDS and the Government Cyber Essentials Scheme has been constant for the last four years at least. Also the PCI DSS rules require an organisation taking payment by credit card to undergo a penetration test at least annually. These bozos were lazy, incompetent and were breaking the rules that all merchants must apply when handling credit card payments and processing card holder details.
This post has been deleted by its author
To be honest, we may as well all give up now if this is going to be the attitude of the enforcers. I can guarantee that with 100% motivation, fully financed, and with no distractions I could take down and breach pretty much any internet facing system... and I am not even that good.
Basic data protection methods should be enforced and punishable, but beyond that, how do you protect against the unknown?
The fine is nasty - but the main criticism seems to be related to fairly basic technical issues that any BOFH or like-minded geek would have seen as the bleedin obvious!
If it was run by techy nerds they should have known better and deserve the hard slap.
More likely it was run by salesmen who ignored their technical people (if they even had any as they may have just "outsourced" any tech type stuff as needed) - in which case they also deserve everything they got.
They're being fined because they didn't take even basic measures to protect their systems.
As is usual for risk-based law, this is all about what is "reasonably practicable".
So if you store CVV numbers for more than a second, you're guilty as ****.
If you follow industry best practice but still get hacked, then you're not guilty.
If you fail to keep up with best practice, you're guilty.
"how do you protect against the unknown?"
Getting your web payment site hacked is not "the unknown" it's the "all too bloody obvious even to a moron". Taking very basic steps to lock down systems and separate payments/finance and personal data from the customer-facing sites is also not unknown. It's just appropriate business practice. People who think that because they don't know how to design a secure e-commerce site that no one does are suffering from a massive does of Dunning-Kruger syndrome.