Boomerang Video Ltd fined £60,000 by the ICO for compromising user data over a cyberattack
hacked passwords

Boomerang Video Ltd fined £60,000 by the ICO for compromising user data over a cyberattack

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Boomerang Video Ltd owns and controls an online website where customers can rent or buy video games through their payment web application. Users log in and have a choice of video games for various consoles that are physically sent to them and then returned to their warehouse after the customer has finished playing the game.

The online platform requires certain information for a customer to sign up to their services, including a username, password and bank details to pay the monthly subscription fee.

Unfortunately, their app was targeted in a cyberattack and was successfully hacked in December of 2014.

Boomerang “unaware” of software coding error

Boomerang was reportedly unaware that the coding used to create their login page contained an error. Hackers found the vulnerability and exploited it with an SQL injection.

This coding method can manipulate data, corrupt it, or remove it. In this case, hackers chose to take customer login information, and some of the passwords they obtained were simple single everyday words that could be found in the dictionary.

Malware uploaded to servers

The hackers didn’t just stop there; they uploaded malware on to the server to keep the system down and access even more customer information.

According to the Information Commissioner’s Office (ICO) investigation findings:

“…the attacker was able to query the customer database and download text files containing 26,331 cardholder details.”

Whilst some of the data was encrypted, the decryption key was quickly found. Like hiding a key under the doormat, it doesn’t make a great deal of difference if you’ve locked your door or not if you don’t keep the key safely hidden.

Data put at risk

The business offers various levels of memberships but all of them require a subscription and a monthly payment. When customers sign up and provide their bank details, they expect this information to be watertight. As a data controller, Boomerang had the authority to obtain and hold their customer information for the purposes of the services provided. However, they appear to have failed to uphold their legal duty to keep this information safe. Starting from the vulnerable login screen and the failed security measures in their server, Boomerang is responsible for putting their customers at data risk.

With this abundance of information the hackers may have taken, victims are clearly at risk of fraud. Boomerang customers are exposed to a huge risk of identity theft, phishing emails and bank account fraud; amongst other potential problems.

ICO condemnation

The ICO condemned Boomerang Video for failing to implement cybersecurity measures that could effectively have prevented the attack. The independent body identified Boomerang’s specific failings:

  • The business didn’t conduct regular penetration testing to check for vulnerabilities
  • Boomerang’s own passwords for the part of the website where login details were stored was much too simple and easily guessed
  • The decryption key was not safely hidden and was not secure

Whilst we applaud the ICO for issuing Boomerang with the £60,000 fine – the customers remain the real victims, and they may be entitled to financial compensation themselves.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Contact is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon