ICO warns industry of SQL injection threat

The Information Commissioner’s Office (ICO) has warned British organisations that they must defend themselves against the common method of hacking known as SQL injection.

The alert comes in the wake of a £7,500 fine against the hotel booking website Worldview Limited for a cyber breach that gave hackers access to the payment card details of more than 3,800 people.

Simon Rice, group manager for technology at the ICO, said: "It may come as a surprise to many in the IT security industry that this type of attack is still allowed to occur.

"SQL injection attacks are preventable, but organisations need to spend the necessary time and effort to make sure their website isn’t vulnerable."

An SQL injection works by requesting information through a database form, sometimes alongside submission of ostensibly legitimate data to the system.

In the case of Worldview the data stored was actually encrypted, but the means of decryption was stored alongside the information, allowing hackers to access full card details and the three digit security code.

"Organisations must act now to avoid one of the oldest hackers’ tricks in the book. If you don’t have the expertise in-house then find someone who does, otherwise you may be the next organisation on the end of an ICO fine and the reputational damage that results from a serious data breach," Rice added.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing