New analysis from cyber security specialists at the Cyberfort Group has revealed that 21% of fines* issued by the Information Commissioner’s Office (ICO) between 2015 to 2018 involved insecure payment card data or financial information.
Almost a third of these breaches were down to organisations neglecting simple security procedures, whilst over three quarters were caused by issues at the application layer, often related to out-of-date software, insecure third-party payment systems, or inadequate scanning. All of these breaches therefore contravened Payment Card Industry Data Security Standard (PCI DSS) requirements.
In one organisation, up to 40 employees used the same password for the server, and had full admin rights to the overall system. Another case saw a coding error present in the website login page, which enabled an attacker to obtain usernames and password hashes – ultimately allowing access to the organisation’s web server.
The analysis also revealed that the £1.74 million in fines issued for these incidents by the ICO in this time period could have amounted to almost £889 million under the General Data Protection Regulation (GDPR)**.
Phil Bindley, managing director at data centre and managed service provider, The Bunker commented: “PCI DSS compliance is a continuous journey and one that requires regular assessment to identify any weaknesses across an organisation.
“Regulators aren’t going to be lenient about failings in this space, and if businesses don’t invest enough into improving defences, we’re going to see more organisations having to pay the price for a relaxed approach to security.”
Simon Fletcher, managing director at cyber security specialist, Arcturus added: “We’re still seeing businesses failing to implement even basic measures when it comes to securing sensitive information.
“The need for regular and thorough testing is clearly outlined by PCI DSS, and is something that is still forgotten by many or causes confusion, particularly when it comes to the application layer. Testing systems is vital in order to ensure that any issues are quickly addressed to prevent data being put at risk.”
European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.