Watchdog bites hotel booking site: Over 3k card details slurped

SQL flaw ‘oldest trick in the book' – ICO


Hotel booking website Worldview Limited has been fined £7,500 over a security breach involving its website that allowed hackers to swipe the full payment card details of some 3,814 customers.

Sensitive data was accessed after the unidentified attacker exploited a SQL injection flaw in Worldview website to access the firm's customer database. Although customers’ payment details had been encrypted, the means to decrypt the information — the decryption key — was stored with the data, according to a subsequent investigation by privacy watchdogs at the Information Commissioner’s Office (ICO).

The combination of security mistakes allowed cybercrooks to access the customers’ full card details, including the three digit security code needed to authorise payments.

"The weakness had existed on the website since May 2010 and was only uncovered during a routine update on 28 June 2013," according to a statement by the ICO on the case. "The attackers had access to the information for ten days. The company has now corrected the flaw and has invested in improving its IT security systems."

Worldview Limited would have received a £75,000 penalty but the ICO was required to consider the firm’s financial situation, before deciding to levy a much less severe fine that didn't run the risk of putting the company out of business.

Simon Rice, ICO Group Manager for Technology, said Worldview's misfortune offers lessons for other e-commerce businesses, especially when it comes to safeguarding against SQL injection attacks.

"SQL injection attacks are preventable but organisations need to spend the necessary time and effort to make sure their website isn’t vulnerable," Rice said. "Worldview failed to do this, allowing the card details of over three thousand customers to be compromised."

"Organisations must act now to avoid one of the oldest hackers’ tricks in the book. If you don’t have the expertise in-house, then find someone who does, otherwise you may be the next organisation on the end of an ICO fine and the reputational damage that results from a serious data breach," Rice added.

A blog post by the ICO explaining how an SQL injection attack works and how organisations can protect themselves against common hacker attacks can be found here. A more complete 47 page online security guide from the ICO is here (PDF).

Paul Ayers, EMEA veep at data security expert Vormetric, said Worldview's misfortunes also highlighted the need for better encryption key management.

"Driven by regulatory compliance requirements and highly visible publicly disclosed security breaches, many of today’s businesses are eagerly looking to encryption controls for data security," Ayers explained. "However, most are doing so on an ad hoc basis, with no central oversight or long-term strategy in place."

"As this case crucially demonstrates, unmanaged encryption keys can pose a critical risk to data – and a real risk to an organisation’s lifeblood," he added. ®

Similar topics


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • UK watchdogs ask how they can better regulate algorithms
    We have bad news: you probably can't... but good luck anyway

    UK watchdogs under the banner of the Digital Regulation Cooperation Forum (DRCF) have called for views on the benefits and risks of how sites and apps use algorithms.

    While "algorithm" can be defined as a strict set of rules to be followed by a computer in calculations, the term has become a boogeyman as lawmakers grapple with the revelation that they are involved in every digital service we use today.

    Whether that's which video to watch next on YouTube, which film you might enjoy on Netflix, who turns up in your Twitter feed, search autosuggestions, and what you might like to buy on Amazon – the algorithm governs them all and much more.

    Continue reading
  • India gives local techies 60 days to hit 6-hour deadline for infosec incident reporting
    Customer data collection and retention requirements also increased, including for crypto operators

    India's Computer Emergency Response Team (CERT-In) has given many of the nation's IT shops a big job that needs to be done in a hurry: complying with a new set of rules that require organizations to report 20 different types of infosec incidents within six hours of detection, be they a ransomware attack or mere compromise of a social media account.

    The national infosec agency stated the short deadline is needed as it has identified "certain gaps causing hindrance in incident analysis."

    Organizations can use email, phone, or fax to send incident reports. Just how the analog mediums will improve improve analysis gaps is uncertain.

    Continue reading
  • Coca-Cola probes pro-Kremlin gang's claims of 161GB data theft
    Life tastes not so good right now

    Coca-Cola confirmed it's probing a possible network intrusion after the Stormous cybercrime gang claimed it stole 161GB of data from the beverage giant.

    "We are aware of this matter and are investigating to determine the validity of the claim," Coca-Cola communications global vice president Scott Leith told The Register on Tuesday. "We are coordinating with law enforcement."

    The ransomware gang, which has declared its support for the Russian government's illegal invasion of Ukraine, this week bragged it "hacked some of the company's servers and passed a large amount of data inside them without their knowledge." It's now trying to sell the stolen data for about $64,000, or nearest offer "depending on the amount of data you want," Stormous wrote on its website where it leaks pilfered information.

    Continue reading
  • Intuit sued over alleged cryptocurrency thefts via Mailchimp intrusion
    Financial software giant slammed for 'poor security practices'

    Intuit is being sued in the US after a security failure at its Mailchimp email marketing business allegedly led to the theft of cryptocurrency from one or more digital wallets.

    In a proposed class-action lawsuit [PDF] filed in federal court in northern California on Friday, the plaintiff – Alan Levinson of Illinois – claimed he and potentially others fell victim to a sophisticated phishing attack in which their Trezor cryptocurrency wallets were unlawfully accessed and funds siphoned.

    Someone earlier stole from Mailchimp details of Trezor's mailing-list subscribers, and used this information to reach out to those users with an email engineered to trick them into installing malware designed to hijack their digital wallets. Levinson said he believes millions of dollars in crypto-coins were stolen in this attack, including $87,000 from his own wallet.

    Continue reading

Biting the hand that feeds IT © 1998–2022