HackDig : Dig high-quality web security articles for hacker

75,000 GBP Fine For SQL Injection From ICO But With 90% Discount

2014-11-07 09:15

Lancaster-based apartment booking company Worldview Limited has been fined under the Data Protection Act for allowing unauthorised access to customers' details. The company operates under two UK brands, Citybase Apartments and Central London Apartments.

Although customers' payment details had been encrypted, the means to decrypt the information - known as the decryption key - was stored with the data.

The Information Commissioner's Office (ICO) press release states that a SQL injection vulnerability that existed for 3 years was the root cause, so this might imply the the decryption key was either stored in the database or the database could be used to read the key from elsewhere, such as the file system. The information taken included 3,814 payment card details; this mentions that both primary account numbers (PANs) and three digit security codes were accessed, which is even more interesting. The terms and conditions (Citybase, Central London) state:

Your payment card details will be securely held for the purpose of processing the booking until the day of check in. On the day of check-in, the credit card details are removed from our systems.

That's the travel industry problem of stored card data.

Apparently the fine would have been £75,000 but this may have put the company out of business. However, I suspect the fact that Worldview Limited will also be paying forensic investigation charges, card re-issue fees, card monitoring fees and fines relating to their PCI DSS contractual obligations will also have been taken into account by the ICO. However, £7,500 is a lot less than Worldview should be spending to ensure their customer data is secure. The fine is reduced further to £6,000 if payment is made by 1st December 2014.

The monetary penalty notice is available on the ICO web site.

The two "site security" pages on both web sites (Citybase, Central London) put a lot of faith in the use of "industry standard Secure Socket Layer (SSL) encryption technology" only:

When you submit your card details the information is encrypted (scrambled) so that it can only be read by the secure server, making the transaction as secure as possible.

When Lush Cosmetics had an ecommerce incident in 2010-11 with a similar number of cards and other personal data compromised, there was no fine — just an undertaking (and of course the PCI DSS costs). I suspect this stronger response from the ICO reflects its view that SQL injection is a basic fault that is below any acceptable level of security.

Update 7th November 2014: Link to monetary penalty notice and details of early payment discount added.


Source: tnuocsiD-09-htiW-tuB-OCI-morF-eniF-00057-noitcejnI-LQS/7/11/4102/ku.rellewdnekrelc.www

Read:5643 | Comments:0 | Tags:injection corrective technical SQL vulnerabilities data prot

“75,000 GBP Fine For SQL Injection From ICO But With 90% Discount”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud