14 DAY TRIAL // Unauthorized individuals accessed encrypted payment details of customers of a hotel booking website by using the decryption key stored with the data.
The company, Worldview Limited, found itself fined by the Information Commissioner’s Office (ICO), UK’s privacy watchdog, for keeping the decryption key with the data, allowing intruders undeterred access to sensitive information of 3,814 clients.
Following the incident, ICO slapped the company with a £7,500 / €9,560 / $11,900 punishment.
Full card details, security code included, stored in the database
At the root of the breach was improper sanitization of SQL statements, which allowed access to the database via an SQL injection vulnerability.
ICO issued a call to organizations to start protecting their websites “against one of the most common forms of online attack – known as SQL injection.”
With the decryption key stored with the encrypted information and leveraging one of the most basic forms of attacks over a website, the attackers had no trouble reaching full card details.
According to a report from ICO, the security code (CVV or CVV2), a string of numbers required for online payments as a means to validate that the physical card is available, not just its data, was also present in the database.
Best practices promoted by the Payment Card Industry strongly recommend merchants not to store the CVV or CVV2 details on their systems.
Storing the code is generally done for the comfort of the recurrent shopper, who no longer has to enter all the card details. However, in the event that the online shopping account is compromised, the attacker can initiate purchases as if they were the true owner of the account, since no mechanism for authorizing the payment exists.
SQL injection is one of the simplest forms of attack
The Information Commissioner’s Office says that the SQL injection flaw existed on the website since May 2010 and was discovered on June 28, 2013, during a routine security check. It appears that the intruders had access to the sensitive details for a period of ten days.
The flaw is no longer present in the website as the company has upgraded its security in order to prevent falling victim to other forms of cyber-attack.
“It may come as a surprise to many in the IT security industry that this type of attack is still allowed to occur. SQL injection attacks are preventable but organisations need to spend the necessary time and effort to make sure their website isn’t vulnerable. Worldview Limited failed to do this, allowing the card details of over three thousand customers to be compromised,” said Simon Rice, ICO Group Manager for Technology.
“Organisations must act now to avoid one of the oldest hackers' tricks in the book,” urged Rice, suggesting to appeal to outside experts if in-house knowledge was not available.