The Information Commissioner’s Office (ICO) is warning organisations that they must make sure their websites are protected against one of the most common forms of online attack” SQL injection. The warning comes after the hotel booking website, Worldview Limited, was fined £7,500 following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers. The data was accessed after the attacker exploited a flaw on a page of the Worldview website to access the company’s customer database. Although customers’ payment details had been encrypted, the means to decrypt the information” known as the decryption key” were stored with the data. This oversight allowed the attackers to access the customers’ full card details, including the three digit security code needed to authorise payment. The weakness had existed on the website since May 2010 and was only uncovered during a routine update on 28 June 2013. The attackers had access to the information for ten days. The company has now corrected the flaw and invested in improving its IT security systems. Worldview Limited would have received a £75,000 penalty but the ICO was required to consider the impact any penalty would have on the company’s financial situation. Attacks are preventable Simon Rice, the ICO’s group manager for technology, commented:” It may come as a surprise to many in the IT security industry that this type of attack is still allowed to occur. SQL injection attacks are preventable but organisations need to spend the necessary time and effort to make sure their websites are not vulnerable. Worldview Limited failed to do this, allowing the card details of over 3,000 customers to be compromised.” Rice added:” Organisations must act now to avoid one of the oldest tricks in the book deployed by hackers. If you don’t have the expertise in-house then find someone who does, otherwise you may be the next organisation on the end of an ICO fine and the reputational damage that results from a serious data breach.”
“Organisations must act now to avoid hackers’ oldest trick in the book” urges ICO
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.