Out-Law News 1 min. read

Fine should prompt businesses to address threat of 'SQL injection' attacks, says ICO


A fine issued to a hotel booking business over its data security failings should serve as a warning to other organisations that they need to take steps to address a common cyber attack, the Information Commissioner's Office (ICO) said.

The UK's data protection watchdog said Worldview Limited (Worldview) had committed a serious breach of the Data Protection Act by failing to appropriately secure personal data it was responsible for. The ICO fined the company £7,500 over the breach. It said the penalty would have been £75,000 but that it decided to apply the lower amount as a penalty for the breach in recognition of the company’s financial position.

A vulnerability in Worldview's systems enabled hackers to access payment card details belonging to 3,814 customers by performing an SQL injection attack, which is where attackers probe for website coding flaws, the ICO said. The customer database that was accessed was encrypted but Worldview had stored the information necessary to decrypt the data alongside the data itself, it said.

"This oversight allowed the attackers to access the customers’ full card details, including the three digit security code (CVV) needed to authorise payment," the ICO said.

Simon Rice, ICO group manager for technology, said organisations "organisations need to spend the necessary time and effort" to protect their websites against SQL injection attacks.

“Organisations must act now to avoid one of the oldest hackers' tricks in the book," Rice said. "If you don’t have the expertise in-house, then find someone who does, otherwise you may be the next organisation on the end of an ICO fine and the reputational damage that results from a serious data breach."

According to the monetary penalty notice (11-page / 207KB PDF) issued by the ICO, Worldview was aware of the payment card industry data security standard (PCI DSS). PCI DSS prohibits the storage of sensitive payment authentication data, including security codes on cards, by organisations.

"Active card data was obtained over a 10 day period including the CVV values that could have been decrypted," the ICO's notice said. "Although there is no evidence of fraud having taken place as a result of this incident, the personal data that was obtained was clearly of interest to the attacker given the targeted nature of the attack, and could still be used for fraudulent purposes. It is reasonable to assume therefore that it is likely that the attacker would use this information in a manner that would cause substantial damage to the data subjects either in the short or long term."

"The data subjects would also be likely to suffer from substantial distress on being informed that their personal data had been accessed by an unauthorised third party and could have been further disclosed even though, so far as the Commissioner is aware, there has been no evidence of fraudulent transactions being conducted as a result of this incident. The knowledge of this access alone is likely to cause substantial distress," it said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.