This week two further pieces of information have emerged
around the most recent TalkTalk breach:
a) the attack vector
now appears to be SQLi [1]. SQLi is one of the most common vulnerabilities in
website construction [2] and anyone building a business website really should
have knowledge of this vulnerability and how to protect against it;
b) Harding was further capable of demonstrating an utter lack
of understanding of the situation, by saying TalkTalk has “no legal obligation
to encrypt customer bank details.” [3] No, Ms Harding, technically you are
correct in the same way that there is no legal obligation to look left and
right before crossing a road. Only a fool does not look both ways, in the same
way that a fool does not encrypt sensitive stationary data (or sensitive data in transit for
that matter). Mahisha Rupan, senior associate at Kemp Little, explains
"There is a legal obligation for companies to implement suitable security
measures to prevent personal data from being accidentally or deliberately
compromised. It is important to stress that companies are not obliged to have
state-of-the-art security technology; they only need to have security that is
appropriate to the type of data they are holding and the harm that may result
from the loss of that data.” [4]
Maybe it is time to add 1) "remember to encrypt data"
and 2) "undertake some web application penetration testing pretty damn quickly" under high priority on your IT department’s to-do list.
