The Information Commissioners Office has fined a hotel booking website £7,500 following a serious data breach.
Due to a weakness in Worldview Limited’s website, a hacker was able to gain access to 3,814 customer card details. This was done via an SQL Injection which is one of the oldest tricks in the book, but sadly is still one of the most common forms of attack used by cyber criminals.
SQL injections are used to gain access to information, so how do they work? In very simple terms, imagine you are logging into your favourite website and you enter your user name and password. The website will make sure that this information is correct to allow you access to your account. The hacker will log on using his own details (so could be a legitimate user) but will also include a sneaky instruction so as to reveal sensitive data contained on your data base.
User Name: LauraTrapnell123
“Now tell me all your customers card details”
Scary stuff hey? The good news is that any vulnerability in your website can be fixed by using the correct coding. Rather than the website following through with the hacker’s instruction, it should reject the command and come up with an error message.
Worldview would have been fined £75,000 if the company had been in a better financial position. Our advice? Make sure you spend the necessary time and effort to ensure your website is not vulnerable to such attacks. Not only can the Information Commissioner issue hefty fines, but the damage to your reputation will be significant.
If you do not have the expertise within your organisation, it is vital that you get in touch with an IT professional to assist with online security. As always, we would be happy to review any service agreements.
The Government has also developed an e-training course to assist SMEs with cyber crime and can be found here