Last week it was reported that a small group of Russian computer hackers illegally obtained an unprecedented quantity of internet credentials, including 1.2 billion username and password combinations, and over 500 million unique email addresses. The compromised companies have not yet been identified, but it is believed that the information came from over 420,000 websites. While the size of this particular breach is unparalleled, news of yet another data security breach does not come as much of a surprise. What is concerning, however, is how unsophisticated and common the tactics used were, and the number of companies that still remain vulnerable to such attacks.

The Russian crime ring reportedly, at least in part[1], used what is known as the SQL injection (“SQLi”) method, a very well-known hacking technique. SQL is a computer language that is used to send queries to databases. It is used, for example, in username and password fields on websites. The coding in these fields commands the website’s database to search for the stored username and password; if both match, the website allows the user access. The problem with this type of SQL coding is that it can be difficult to prevent a site visitor from inputting information other than usernames and passwords. An attacker can therefore “inject” malicious code into the input boxes that allow the hackers to download entire databases of information. The risk of SQLi has dramatically risen with the proliferation of automated tools, which allow hackers to attack many websites at once with ease, instead of having to manually enter malicious code into each site.

Source: VeraCode, http://www.veracode.com/security/sql-injection

Certain forms of SQLi attacks are common and preventable, and the FTC has brought complaints against companies for failing to guard against this type of attack.  Companies should look to prior enforcement actions and consent decrees to ascertain the FTC’s ever-evolving “gold-standard” security standard expectations, but effectively guarding against SQLi attacks is certainly one of the FTC’s expectations.

Additionally, depending upon the state, companies with compromised websites may be required to report the breach under data breach reporting laws.  For example, Florida and California recently amended their breach notification laws to include username and password combinations in the definition of personally identifiable information that, if breached, would need to be reported to users.

Best Practices

Prevention

The good news for companies is that this common attack is preventable.  SQLi vulnerability begins during the website development stage, where website security is often not sufficiently addressed.  The security company Veracode advises companies to take simple precautions during the development phase to prevent SQLi attacks, such as:

1. Adopt an input validation technique in which user input is authenticated against a set of defined rules for length, type, and syntax and also against business rules;
2. Ensure that users with the permission to access the database have the least privileges;
3. Make sure that a database user is created only for a specific application and this user is not able to access other applications;
4. Remove all stored procedures that are not in use; and
5. Show care when using stored procedures since they are generally safe from injection. However, be careful as they can be injectable.

Source: VeraCode, http://www.veracode.com/security/sql-injection

Response

Additionally, companies who believe they may have been compromised by the most recent SQLi attack would be advised to do the following in response:

1. Conduct a forensic investigation into the database, to determine what, if any data, have been breached;
2. Understand the full scope of the data that was stolen;
3. Compare the compromised data to the types of data protected by your state’s data breach and notification laws;
4. If required to report the data breach and notify consumers under state law, report the breach within the statutorily designated time period; and
5. Anticipate and plan for the possibility of plaintiffs’ suits and FTC enforcement actions.

Implementing these preventative measures can both dramatically decrease vulnerability to hackers, and protect a company from suit and/or FTC enforcement action in the event of a breach.

[1] Since the breaking of this story, it has been reported that a large percentage of the credentials could have been obtained from previous large-scale data breaches, such as Adobe, LinkedIn, RockYou.com, and eBay. http://www.cnn.com/2014/08/07/opinion/wisniewski-hack-passwords/