British ISP TalkTalk has had thousands of sets of customer data stolen, complete with bank details, full addresses – worst-case scenario stuff. While a lot was made about the scale and sophistication of the attack, in the end it turned out to be a good ol’-fashioned SQL injection attack. You know, that thing everyone cautions against. SQL Server Security 101. That, combined with unencrypted plain text personal details made for a very bad week for the company and their customers.
There’s no way to make a 100% secure system – there will always be elements you didn’t design, and people will always be smart and determined enough to make use of any weakness in commercial systems. Brute force attacks happen more often as processor cycles drop in price, and commercial cracking kits can be pointed at unsecure sites with a minimum of know-how. All of which makes it more important to have multiple security redundancies in place.
It seems pretty likely that there are plenty of people at TalkTalk who knew about these potential security holes – after all, knowing there’s a problem and getting it fixed in a company of any size is not as straightforward as A to B.
How many companies are allowing unforgivable security lapses purely because of the cost or difficulty involved in plugging those gaps? What will be the tipping point that sees companies taking (or being forced to take) security seriously? I have a feeling it will take some high-profile bankruptcies directly attributable to this sort of attack.
Naming absolutely no names, have you ever run into resistance in implementing what you know to be vital security features?