On 5 November 2014 the ICO issued its latest Monetary Penalty Notice against Worldview Limited (Worldview). Worldview was fined £7,500 for contravention of the seventh Data Protection Principle:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Worldview had severe vulnerabilities in its website coding and as a result, hackers were able to perform a Structured Query Language (SQL) injection attack and extract the full card details, including the three digit security code, of 3,814 of Worldview's customers from its database.
Worldview confirmed that no specific security checks were carried out on the web page prior to launch and that there was a lack of relevant training in security matters for developers and insufficient oversight and checking of their work.
Worldview would have received a fine of £75,000 but due to the adverse impact this would have on Worldview's finances the fine was significantly reduced.
In light of this most recent Monetary Penalty Notice the ICO issued a statement warning that SQL injection attacks are one of the oldest tricks in the hackers' book and that companies must protect themselves from such attacks. Below we briefly set out what an SQL injection attack is and what steps organisations can take to help protect themselves from such an attack.
What is an SQL injection attack?
There are many different types of SQL injection attacks but a simple explanation is as follows. A hacker exploits weaknesses in a website's coding to "inject" commands into the code via normal user input channels, for example a registration form where a customer would input his/her data into the website. The SQL commands that are injected into the code allow the hacker to gain access to the website's database.
What can be done to minimise vulnerability to SQL injection attacks?
SQL injection attacks are one of the most prolific forms of website hacking and have been the cause of numerous data breaches over the years. Protecting against SQL injection attacks should be an important part of every company's IT security plan.
Companies that are worried about their website vulnerability or wider IT system security should take expert advice on the security aspects. Getting website security (and more general IT security) right in the first place may save the cost of substantial fines and reputational damages should the company's website be attacked, resulting in a data breach.
SQL injection attacks work by exploiting vulnerability in website coding. Therefore, one way to help protect against SQL injection attacks is to ensure the website's coding is as strong as possible. This can be done by using experienced website designers/coders to create the website. Also, ensure that security checks are performed throughout the creation phase as well as at the implementation stage.
If possible, carry out vulnerability tests on all systems. If these tests flag any vulnerability, act immediately to secure the systems in order to reduce the threat of an attack.
The company may use software or content management systems provided by third parties. Systems sourced from a reputable provider will hopefully have adequate security, however any system may have a flaw, so ensure that if any updates are released by the provider, they are implemented as soon as possible. It is best practice to have in place a software update policy to ensure software updates are regularly undertaken.
It is not only websites that can be vulnerable. Any public interface that interacts with the company's database, such as mobile apps, can be used to carry out SQL injection attacks as it provides potential access to the database. Ensure that all access points have adequate security.
Companies using third parties to supply IT services should think about taking legal advice on their contract with that supplier to ensure security maintenance will be undertaken and that there is sufficient cover should the company become the victim of an attack.
SQL injection attacks have been well known for some time and the Worldview monetary penalty notice is a clear indication that the ICO expects organisations to take appropriate precautions to prevent successful SQL injection attacks. Organisations that are the victim of such attacks will be at a high risk of receiving a monetary penalty notice if any significant personal data is compromised.
The ICO has issued a detailed guidance document on "Protecting personal data in online services". This guide includes a section on best practice to protect against SQL injection attacks. Click here to see the full guidance document.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2014. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.