Racing Post escapes ICO fine over 2013 data breach

The Racing Post betting website has pledged to beef up its IT security practices, in the wake of an investigation by the Information Commissioner's Office (ICO) into its 2013 data breach.

As reported by IT Pro in November 2013, the site fell victim to a "sophisticated, sustained and aggressive" cyber attack last October that resulted in 677,335 of its user accounts becoming compromised.

The perpetrators reportedly seized on existing vulnerabilities on the racingpost.com website to carry out the attack, which allowed them to access customer's names, addresses, passwords, birth dates and telephone numbers.

The ICO launched an investigation into the circumstances surrounding the breach and discovered, although penetration testing had been carried out on the site in 2007, up-to-date security patches had not been applied since then, leaving it vulnerable to attack.

The data protection watchdog said it also found issue with the way the company stores its customers' information.

As a result, the company has signed an undertaking with the ICO, vowing to tighten up security around the way customer information is secured. As part of this, it must introduce policies about routine security testing and administering updates by 28 February 2015.

However, it avoided a data breach fine from the ICO because no financial information was compromised during the attack and the data that was accessed would not have caused "substantial damage or distress" to those affected, the enforcement body ruled.

Stephen Eckersley, head of enforcement at the ICO, said the case highlights why companies need to have robust security systems in place to keep their customers' data secure.

"The Racing Post pulled up short when it came to protecting their customers' information by failing to keep their IT systems up-to-date," he said.

"This data breach should act as a warning to all businesses that poor IT security practices are providing an open invitation to your customers' details."