Racing Post dodges ICO data breach fines

Chief executive forced to sign a publicised contract to improve company's data security instead

The Racing Post will not have to pay a fine following the breach of 700,000 customer details last year, the Information Commissioner's Office has said.

The racing magazine and website has instead come to an "agreement" with the ICO, which will see it put better security measures in place by early next year. The ICO has the power to fine organisations up to £500,000 for a breach of the Data Protection Act.

Hackers used an internet-based SQL injection attack on the website to gain access to the newspaper's customer database in an attack last year.

Customers' names, addresses, passwords, date of birth and telephone numbers were accessed. No financial information was compromised.

The company carried out penetration testing in 2007, but had not applied any up-to-date security patches since then.

Following an investigation, the ICO "found problems" with the way the company stored its customers' details. The company had no regular security testing in place, the ICO said.

The stored customer passwords as un-salted MD5 hash values, which the commissioner deemed "not appropriate".

MD5 Hash is an encryption that has become increasingly easy to crack due to published advice on blogs and discussion boards online.

At the time of the attack, the Racing Post told its customers in a post on its website that it had been victim to a "sophisticated, sustained and aggressive" hack.

ICO Head of Enforcement, Stephen Eckersley, said: "There is barely a day that goes by without a company being the target of an online attack. This is the modern world and businesses and other organisations must have adequate security measures in place to keep people's information secure.

"The Racing Post pulled up short when it came to protecting their customers' information by failing to keep their IT systems up-to-date. This data breach should act as a warning to all businesses that poor IT security practices are providing an open invitation to your customers' details."

The Racing Post is owned by a Dublin-based investment firm, FL Partners. It acquired the magazine in 2007 from Trinity Mirror PLC FOR £165 million.

The ICO published the enforcement document, signed by chief executive, Alan Byrne, on its website last week.

Join the CSO newsletter!

Error: Please check your email address.

Tags Racing PostCreative & MediasecurityInformation Commissioner's OfficeIT Business

More about CustomersICOTrinity Mirror

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Margi Murphy

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place