The Racing Post, which suffered a data breach affecting over 677,000 users late last year, has escaped a fine but has agreed to sign an undertaking promising to try harder to keep its services and data secure.
According to the Information Commissioner’s Office (ICO), the Racing Post has been slacking off on its security arrangements since at least 2007, and has been given until the end of February 2015 to get its house in order.
The breach was a typical SQL injection attack that led to leaking of user data on 677,335 people who had signed up to the sport betting website.
The ICO has the power to impose a fine of up to £500,000 on “data controllers” found to be in breach of the Data Protection Act, as it demonstrated earlier this week with a £180,000 penalty imposed on the Ministry of Justice.
Although the Racing Post breach affected a large number of people, the ICO requires leaked data to cause “substantial damage and distress to the individuals affected” to merit a fine, and in this instance the data was found to be insufficiently sensitive.
It did, however, include names, addresses, phone numbers, dates of birth and passwords in a form described as “encrypted” but which appeared to be lacking the proper salting required to keep them safe (they apparently used simple MD5 hashing, making brute-forcing far easier than it should be).
Many people would likely feel fairly distressed to learn that all that personal data was in the hands of malicious hackers.
According to the text of the undertaking:
During the Commissioner's investigation it was determined that the data controller had consulted security experts and procured penetration testing in 2007. However since that time there had been no steps taken to keep abreast of security developments. In the Commissioner’s opinion, this placed the data at an unacceptable level of risk of inappropriate processing.
It seems improbable that anyone could run a busy website for six years without taking any kind of security precautions, but that seems to be the implication.
By 28 February 2015, the Racing Post is promising to implement a proper password-storage system, to set up a proper process for software patching and updating, to run regular security testing, to monitor compliance with proper security policies and to “implement such other security measures as it deems appropriate”.
Six full months seems like a long time to get up to speed with what should be basic everyday security steps for any business.
With the barrage of epic breaches making headlines almost daily, no-one can be unaware of the importance of protecting any and all data held by a business or institution, and anyone who’s not reviewed their security policies in the last few years needs to wake up and get moving.
There are well-defined industry standards for secure storage of passwords, and a wealth of options for encrypting any other data that needs to be stored. Patching and updating of software may be a chore, but more and more providers are building in automated update systems to take the strain off sysadmins.
SQL injection attacks have been a common technique for well over a decade, and most are facilitated by sloppy or incomplete filtering of input data. Any web-facing system which accesses databases needs to be checked for proper input sanitizing.
This checking needs to be done both from within the organisation and from outside – third-party penetration testing should be a routine part of maintenance processes, running at least annually with no six-year breaks.
It remains to be seen whether making people stand up and acknowledge their failings, and promise to rectify them, will be enough to encourage everyone to make the proper effort.
The enormous media attention given to the steady stream of incidents in the last few years doesn’t seem to be getting the message through, and it could be that we need to start imposing stiffer penalties on those failing to pull their weight, regardless of how much “damage and distress” their leaks are perceived to have caused.