One year after London-based telecommunications giant TalkTalk warned that it had suffered a SQL injection attack that resulted in the theft of customers' personal information, the company was slammed with a record fine for poor information security practices by Britain's data privacy watchdog, the Information Commissioner's Office.
The findings from the ICO's investigation - issued in partially redacted form in October - offer essential lessons for other organizations, large or small, that want to avoid becoming data breach victims, says David Stubley, CEO of the security consultancy 7 Elements.
"One of the primary ones that we should be looking at here is that businesses aren't actually learning lessons from other people's breaches," Stubley says in an interview with Information Security Media Group. "Clearly we've had a long history of SQL injection attacks against very big, well-known brands over the last decade, and I do think that [businesses] should be asking themselves some very key questions: 'Are we susceptible to this? What have we done to see if we are and how do we remediate? And how do we gain assurances that actually, we're not carrying that exposure?'"
The Need for Technology Due Dilligence
Based on the ICO's report, the TalkTalk breach also highlights the importance of conducting technology due diligence, he says. The SQL injection flaw exploited in the 2015 attack existed in systems TalkTalk added when it acquired rival telco Tiscali's U.K. operations - and its IT infrastructure - back in 2009. The ICO's report said this infrastructure was not being maintained or patched and had a known, serious vulnerability that was exploited by an attacker who used an automated tool called sqlmap that's designed to scan for database flaws and exfiltrate data.
The attacker's use of the tool begs the question of why TalkTalk wasn't using vulnerability scanning tools to find and eradicate such flaws before hackers came calling. "If you've got automated tools that are able to exploit weaknesses trivially, then you're opening yourself up to attack," Stubley says.
In this interview (see audio link below photo), he also discusses:
- Essential information security takeaways from the TalkTalk breach;
- Patch and configuration management and testing essentials;
- How the EU's new General Data Protection Regulation will alter Europe's data breach awareness.
Stubley is the founder and CEO of 7 Elements, based in Edinburgh, Scotland. He was previously manager of penetration testing services for Royal Bank of Scotland, and he served as a penetration testing project manager for Britain's Ministry of Defense as well as an IP technical security engineer for MCI WorldCom.