A number of high profile breaches of online data security, including most recently a claim that millions of eBay customer accounts had been compromised, have once again brought into focus the importance of robust online data and customer account protections and the potential penalties that may follow data breaches.
In eBay’s instance, the breach came to light after it issued an advisory to its customers to change their passwords due to a cyber attack that had compromised a database holding non-financial data. An internal investigation found that attackers had compromised employee login credentials to get access to its corporate network sometime between late February and early March 2014.
The UK data protection body, the Information Commissioner’s Office (ICO), has this month published a security report, Protecting personal data in online services: learning from the mistakes of others, which looks at a number of the most common IT security vulnerabilities that lead to data breaches.
The flaws cited include poor password storage, poorly designed networks in inappropriate locations, a lack of protection from structured query language (SQL) injection, poor decommissioning of old software and failing to update software.
The report makes a number of recommendations including the hashing and salting passwords, creating a well-designed security architecture, awareness of all of the components of a service to ensure that they are fully decommissioned and implementing a software updates policy. Software updating has become even more urgent since Microsoft stopped supporting its Windows XP operating system and the uncovering of the security flaw, Heartbleed.
The ICO says that all organisations should have a basic understanding of these types of threats and that and the report aimed primarily at data protection officers and senior managers. The ICO can issue fines of up to £500,000 for serious breaches of the Data Protection Act 1998.
In January it fined Sony £250,000 a failure to prevent hackers gaining access to millions of customers’ data, including payment details, on the Sony PlayStation Network Platform. In assessing the fine, the ICO took into account aggravating features like Sony Computer Entertainment Europe’s (SCEE) failure to ensure that appropriate technical measures were in place (like additional cryptographic controls to protect passwords), to anticipate further attacks and to take appropriate security measures sooner.