14 DAY TRIAL // An intrusion on the systems of Racing Post ended with a total of 677,335 registered customers having their accounts compromised and personal information stolen.
The incident was possible because the company did not keep the security patches for the website’s software updated, as per the investigation carried out by the Information Commissioner’s Office (ICO); this offered the hackers the possibility to leverage a vulnerability and run an SQL injection attack on its website (racingpost.com).
As a result, a database containing customer’s names, addresses, passwords, date of birth and telephone numbers was stolen by the hackers.
ICO determined that the last security audit was carried out by the company way back, in 2007, and no security patches were applied after this date.
“The Racing Post pulled up short when it came to protecting their customers’ information by failing to keep their IT systems up-to-date. This data breach should act as a warning to all businesses that poor IT security practices are providing an open invitation to your customers’ details,” said Stephen Eckersley, ICO head of enforcement.
The company signed a commitment to improve security practices for its website by February 28, 2015, through introducing routine verifications and making sure that updates are applied regularly.
This is actually ICO showing leniency towards the incident since no financial information was compromised. However, email addresses and phone numbers are coveted assets for cybercriminals, who can use them for digging up more information about their owners.