The Information Commissioner’s Office (ICO) has urged UK organisations to protect their websites against SQL injection (SQLi) attacks.
This attack technique has been in use for more than 15 years, yet it remains one of the most common attack methods with many websites still vulnerable due to poor coding practices.
Research has shown SQLi is an extremely common attack method and in the past 10 years it has been linked to 90% of database records stolen.
SQLi involves entering malicious commands into URLs and text fields on vulnerable websites, usually to steal the contents of databases storing valuable data, such as credit card details.
Even though websites can be protected easily, the attack method has been associated with many high-profile data breaches.
More on SQLi
- Preventing SQLi attacks when using outsourced developers
- How to prevent SQLi attacks (without a costly code review)
- Defend against the SQLi tool Havij, other SQL injection tools
- SQLi scanning processes for corporate SDLC methodology
- SQLi attacks increasing in number, sophistication and potency, researchers find
- SQLi detection tools and prevention strategies
- SQL Server 2014 etches itself in-memory
- SQLi tools for automated testing
- Preventing and stopping SQLi hack attacks
The ICO warning comes after the hotel booking website Worldview Limited was fined £7,500 following a serious data breach, where an SQLi vulnerability on the company’s website allowed attackers to access the full payment card details of 3,814 customers.
Although customers’ payment details had been encrypted, the means to decrypt the information – known as the decryption key – was stored with the data. This oversight allowed the attackers to access the customers’ full card details, including the three-digit security code needed to authorise payment.
The weakness had existed on the website since May 2010 and was uncovered only during a routine update on 28 June 2013, giving the attackers access to the information for 10 days.
The ICO said Worldview Limited has now corrected the flaw and invested in improving its IT security systems.
Worldview could have received a £75,000 penalty, but the ICO was required to consider the company’s financial situation.
ICO group manager for technology Simon Rice said it may come as a surprise in the IT security industry that this type of attack is still allowed to occur.
SQLi attacks are preventable, but organisations need to spend the necessary time and effort to make sure their website is not vulnerable
Simon Rice, ICO
“SQLi attacks are preventable, but organisations need to spend the necessary time and effort to make sure their website is not vulnerable," he said. “Worldview Limited failed to do this, allowing the card details of more than 3,000 customers to be compromised.”
The ICO is calling on UK organisations to take immediate action to avoid “one of the oldest hackers’ tricks in the book”.
Rice said if organisations do not have the expertise in-house they should seek outside help to avoid being the next organisation on the end of an ICO monetary penalty, as well as receiving the reputational damage that results from a serious data breach.
“The good news is the problem is easy to fix, but you do need to know where to look,” he wrote in a blog post that explained how an SQLi attack works and how organisations can protect themselves.
The ICO has also published a report explaining how organisations can protect themselves from SQL attacks and the other common IT security failings uncovered during its recent investigations.