Faithless Site Breached with SQL Injection

By   ISBuzz Team
Writer , Information Security Buzz | Jan 14, 2016 07:00 pm PST

You may have seen the news that hackers carried out an attack on the database of Faithless, the electronic band, affecting the personal data of thousands of music fans. The data, including email IDs and passwords, has now been sold on the dark web yet, despite fixing the security issue once it had been flagged, those responsible for the database did not tell the affected individuals. As a result, around 18,000 Faithless fans were left unaware that their private information had been compromised. Security experts from Netskope and Veracode have the following comments on it.

[su_note note_color=”#ffffcc” text_color=”#00000″]Eduard Meelhuysen, VP EMEA at Netskope :

“The recent hack on faithless is just one link in a long chain of incidents which highlight the importance of data security. Businesses must be able to protect their customer data and safeguard their reputation or, in this digital age, they run the risk of becoming a huge target for those cyber criminals testing organisations’ digital defences. With more and more data stored off-premises, businesses must be prepared to take steps to secure corporate data wherever it may be. Other music websites must remain vigilant and ensure the correct security controls are in place.

“Whilst the initial security flaw was flagged and fixed, thousands of Faithless fans were left unaware that their private data had not only been compromised but was most likely for sale on the dark web. New European data protection law – the European Union General Data Protection Regulation (EU GDPR) – will soon be finalised and aims to bring an end to this lack of accountability. While the final text is yet to be brought into law, mandatory data breach reporting is firmly on the agenda. Under the GDPR, companies will be required to notify national data protection authorities of a serious data breach within 72 hours. In certain cases, businesses will also be required to notify affected individuals so they can take necessary precautions and remain vigilant to cyber criminals making use of their compromised data. Many businesses unused to such strict measures may struggle as they will need to identify not just the breach itself but also the data most likely to have been affected. Ahead of the new regulations coming into force, businesses should move to ensure GDPR compliance now, taking steps to consider the regulation and what it means for their business as well as their data use and storage policies.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Paul Farrington, Senior Solution Architect at Veracode :

It’s disappointing to see that once again customers’ data has been stolen using SQL injection, especially after the high levels of discussion around this vulnerability at the end of last year following the high profile Talk Talk breach. Despite this vulnerability having been around for more than a decade and regularly featuring on the OWASP Top 10 list (the widely accepted standard for application security), the prevalence of the SQL injection vulnerability is disturbingly high and too frequently resulting in exposing enterprises to data loss and brand damage. In fact, Veracode analysis of data from its cloud-based application security service of over 50,000 enterprise applications, found that just over 1 in 5 had at least one SQL injection vulnerability. For cyber criminals, that’s like a car thief practically guaranteed entry into any car provided he tries all five car doors.

Organisations can mitigate SQL injection with the right care and attention. All organisations need to be working to gain full visibility into its web application perimeter and run frequent scans on all existing applications to ensure that it remains protected from the threats that new or changed applications introduce, or from newly-discovered vulnerabilities.[/su_note]