Racing Post dodges ICO data breach fines

Chief executive forced to sign a publicised contract to improve company's data security instead

The Racing Post will not have to pay a fine following the breach of 700,000 customer details last year, the Information Commissioner's Office has said.

The racing magazine and website has instead come to an "agreement" with the ICO, which will see it put better security measures in place by early next year. The ICO has the power to fine organisations up to £500,000 for a breach of the Data Protection Act.

Hackers used an internet-based SQL injection attack on the website to gain access to the newspaper's customer database in an attack last year.

Customers' names, addresses, passwords, date of birth and telephone numbers were accessed. No financial information was compromised.

The company carried out penetration testing in 2007, but had not applied any up-to-date security patches since then.

Following an investigation, the ICO "found problems" with the way the company stored its customers' details. The company had no regular security testing in place, the ICO said.

The stored customer passwords as un-salted MD5 hash values, which the commissioner deemed "not appropriate".

MD5 Hash is an encryption that has become increasingly easy to crack due to published advice on blogs and discussion boards online.

At the time of the attack, the Racing Post told its customers in a post on its website that it had been victim to a "sophisticated, sustained and aggressive" hack.

ICO Head of Enforcement, Stephen Eckersley, said: "There is barely a day that goes by without a company being the target of an online attack. This is the modern world and businesses and other organisations must have adequate security measures in place to keep people's information secure.

"The Racing Post pulled up short when it came to protecting their customers' information by failing to keep their IT systems up-to-date. This data breach should act as a warning to all businesses that poor IT security practices are providing an open invitation to your customers' details."

The Racing Post is owned by a Dublin-based investment firm, FL Partners. It acquired the magazine in 2007 from Trinity Mirror PLC FOR £165 million.

The ICO published the enforcement document, signed by chief executive, Alan Byrne, on its website last week.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Information Commissioner's OfficeIT BusinessRacing PostCreative & Media

More about CustomersICOTrinity Mirror

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Margi Murphy

Latest Videos

More videos

Blog Posts