A UK travel company has been fined £150,000 by the Information Commissioner’s Office (ICO) for leaking more than 1,000,000 credit card records.
Here’s what seems to have happened.
Imagine you’re a web developer.
You’ve been told to knock together a quick database system, for internal use only.
The software needs to keep track of a car parking business that your employer operates, but it won’t store customer data or be customer-facing.
You might take a path something like this:
- It’s internal only, and won’t have any personally identifiable information (PII), so you might as well code now, secure it later.
- It’s internal only, and pretty basic, so it’s not going to get budget for its own server, so you might as well dump it in a corner of the main database server.
- It’s simple enough that it works, so everyone uses it.
That’s when the trouble starts, thanks to the last part of Item 1, “secure it later.”
Because of Item 3, you get lumped with Item 4:
- It’s internal only, but people need to use it from home.
So you knock up a quick authentication page and open it to the outside word via a “secret” URL.
You reason that the crooks first have to work out where to connect and then to crack a password, and even if they do, they’ll not get much more information than how much your parking spaces cost, which they could probably find out by phoning for a quote anyway.
Back in real life, of course, a crook does eventually work out where to connect (a bit of Wi-Fi sniffing might do it), has a poke around, and quickly realises he doesn’t need to login at all.
He finds can use SQL injection, where he sends a query with a database command hidden in it, and tricks the server so it doesn’t use the command as a search term (which would be harmless), but actually runs it as a command (which is not harmless at all).
From there, the crook can give himself access to the database administration console, and since your cark park application is on the same server as your main e-commerce site, he can help himself to all the data in it.
To wit: 1,163,996 credit card numbers dating all the way back to 2006, of which 733,397 have already expired, but 430,599 are current.
I’ve made up the details (except for the numbers – there really were more than 1,000,000 credit card records spilled), but that’s probably roughly what happened at Think W3 and its subsidiary, Essential Travel Ltd.
There are eight Privacy Principles altogether, requiring that personal information is:
- Fairly and lawfully processed.
- Processed for limited purposes.
- Adequate, relevant and not excessive.
- Accurate and up to date.
- Not kept for longer than is necessary.
- Processed in line with your rights.
- Not transferred to other countries without adequate protection.
Interestingly, the company wasn’t taken to task under Principle Five, which deals with the timely deletion of redundant data, such as as long-expired credit card numbers.
Presumably the ICO felt that Principle Seven was the more important one, and wanted to make a very blunt point.
Here it is: “Secure it later” isn’t soon enough.