A recent increase in enforcement action, including monetary penalties, issued by the UK Information Commissioner (ICO) in relation to website security failings should serve as a warning to all companies that collect personal data via their websites to ensure that their IT security is appropriately robust. This article looks at recent cases and suggests actions that businesses can take to minimise their risk.
Hacking historically not the ICO’s focus
Until recently, enforcement action by the ICO in relation to hacking incidents was rare, as the focus of the ICO appeared to be the more prevalent breaches of the Data Protection Act arising from lost or stolen laptops and paperwork and data disclosed in error to the wrong recipient. The most notable enforcement action arising from a hacking incident was the £250,000 fine issued to Sony Computer Entertainment Europe Limited in January 2013, which arose from an attack on Sony’s PlayStation network in 2011, which affected the personal data of as many as 77 million people. Despite this, hacking incidents did not appear to be the ICO’s focus.
In the last 12 months, however, there have been three examples of ICO enforcement action in relation to hacking incidents, two of which resulted in combined monetary penalties of £350,000.
A common theme across the website-related data breaches that the ICO has investigated is SQL injection attacks. These enable an attacker to extract data from the back-end databases that sit behind many of today’s websites. Due to errors in the source code of the website, the attacker is able to use forms on webpages which are intended for users to query a database, to pass instructions to the database in structured query language (SQL) and obtain data from the database or otherwise compromise the system. It is relatively straightforward for potential attackers to detect SQL injection flaws in websites using automated tools, and most websites use a variant of SQL to power their databases.
In July 2014, Think W3 Limited, an online travel services company, was fined £150,000 by the ICO after a SQL injection attack on its website enabled a hacker to obtain 1.1 million credit and debit card records and other personal data relating to the company’s customers. In addition to the flawed coding of the website, the ICO highlighted a failure to implement penetration and vulnerability tests, to review the security of the website coding periodically, implement software patches or to store securely the decryption key for the card data stored on the server.
In August 2014, the Racing Post was required to give an undertaking to the ICO following a SQL injection attack on its website, which gave the attacker access to a database containing the personal details of almost 700,000 individuals. In addition to the coding flaws, the ICO found that the Racing Post had failed to arrange regular security testing or implement security patches to the site.
A third case led to the British Pregnancy Advice Service (BPAS) being fined £200,000 by the ICO after an attacker exploited a website vulnerability and obtained the contact details of approximately 9,900 individuals who had requested advice from the BPAS. In this investigation the ICO assessed that BPAS had neither carried out appropriate security testing on the website which would have identified the vulnerability, nor had it kept the software up to date through regular testing and patches. The ICO also noted that the contract between BPAS and its website hosting company did not include the contractual provisions required by the Data Protection Act.
What should you do?
In response to the increasing problem of website security leading to data breaches, in May 2014 the ICO issued a security report providing advice on common security vulnerabilities as identified during ICO investigations. The top eight vulnerabilities identified in the report are:
a failure to keep software security up to date;
a lack of protection from SQL injection;
the use of unnecessary services;
poor decommissioning of old software and services;
the insecure storage of passwords;
failure to encrypt online communications;
poorly designed networks processing data in inappropriate areas; and
the continued use of default credentials including passwords.
As a starting point, data protection officers, in-house lawyers and other managers responsible for IT security should review the report and liaise with their IT security team to ensure that the issues identified are dealt with. This might include measures such as regular automated vulnerability scanning, penetration testing and application of software updates and patches.
This will become even more important when the new Data Protection Regulation comes into force, as it will extend the mandatory requirement to notify the ICO of data security breaches to all companies (the obligation is currently limited to communications service providers).
Keep up to date
Given the rapid pace of technological change, it is important to ensure that an organisation’s knowledge of cyber-security issues remains up to date.
For example, in the ICO report, the minimum encryption protocol recommended by the ICO is SSL version 3. However, recently, there have been widespread reports regarding a bug in SSL version 3 which, if exploited, would enable an attacker to override the encryption and control the communications between the browser and the server. As a result of the so-called Poodle bug, organisations are being advised to discontinue their use of SSL version 3.
This illustrates the constantly changing environment that IT security professionals and data protection managers need to navigate in order to avoid regulatory action, monetary penalties, damages claims and reputational loss.