The ICO decided not to take any further action against Office despite the fact that the personal details of one million UK customers were compromised in May last year. It has published the firm’s next steps to securing customers’ personal information.
The retailer previously admitted it had no formal policy on data retention and not trained staff about data protection. Hackers were able to access a legacy, unencrypted customer database which included names, addresses, phone numbers, email addresses and website passwords.
The firm has now brought in penetration testing firm Nettitude and tasked their site development agency, Envoy digital, to build an internal penetration testing harness.
It has introduced a data policy, however it still retains customer information for five years at a time – something the Information Commissioner’s Office suggested should be reconsidered in a post on their site this morning.
The ICO also posted a follow-up on the Racing Post’s case, where it lost 700,000 customer details but, like Office, dodged a fine.
Hackers were able to get into the customer database with a “sophisticated, sustained and aggressive” SQL injection attack on racingpost.com, according to the paper.
It too was given the option to sign an “agreement” with the ICO to publish and monitor its security measures.
The paper said it had introduced an Information Security Risk Register (ISRR) which identifies Information Security (IS) risks in line with ISO27001 controls.
It also updated its penetration and vulnerability testing policy in March this year (almost two years after the breach). The site will now be tested every year, the ICO revealed. Prior to the hack in 2013, the last penetration test had taken place in 2007.
In addition, the firm now stores passwords in encrypted forms on secure servers and has introduced a patch management process with automated notifications for patch releases and a scheduled check for any that slip through the net.