Blog: Data Protection: Information Security and the Construction Industry
Earlier this month, the construction company known as Construction Materials Online Limited was fined £55,000 by the Information Commission’s Office for breaching the laws on data protection and information security. Valerie Surgenor from MacRoberts discusses the case.
So what happened?
CMO operated a website which enabled customers to buy building materials online. CMO’s website was created by a third party website developer, and unknown to CMO, the website’s log-in pages contained a coding error.
This coding error created a vulnerability which allowed a hacker to modify payment pages and access the personal banking details of over 600 customers, including the names, addresses, bank account numbers and sort codes of customers.
What did the ICO say?
The ICO (the data protection regulator in the UK) found that CMO, as the data controller, failed to take appropriate and technical measures against unauthorised or unlawful processing of personal data as is required by principle 7 of the Data Protection Act 1998 (DPA).
In particular, the ICO found that CMO failed to:
What is principle 7?
Principle 7 requires organisations to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. According to the ICO’s guidance, in practice, this principle means that organisations must:
Why should you care?