Our online data persona
It wasn't so long ago that we did everything offline. If we were very forward-thinking people we might have decided to use rudimentary online banking but generally speaking the furthest we got to storing data about ourselves online was probably a submission of some sort of simple form. But the reality now is that most of us probably have almost everything about ourselves stored in various places online, and probably all accessible from our smartphone devices. If you want to know something personal about us then consult Twitter, Facebook, LinkedIn, Instagram and the plethora of other major social sites. It would not be hard to very quickly get a clear idea about not only who a person is, but also their opinions, likes and dislikes, friends, even their location and who their family members are. You probably use the same email address as an ID for an online bank account with all the details of your financial situation and most likely you'll also deal with your household bills and utility suppliers online as well. You probably even do your shopping through an online account. So the reality is that everything about us is most likely online, stored in databases that we have no control over and owned by corporations that we know pretty much nothing about. In fact it is likely that less than 1% of us have even bothered to read the terms and conditions we were given and have just pushed on regardless, knowing nothing about each of these organisations approach to security, to ownership of data or even where they operate from.
But why should we worry? These corporations are massive, they spend huge amounts of money on protecting our data don't they? They comply with regulations of data protection and security and take the right measures to make sure that unscrupulous external parties, intent on causing havoc, cannot cause us as end users problems. Don't they?
So what's the issue?
The unfortunate reality is that, shocking though it is, many corporations seem to have been flouting the basic requirements of data security. In fact it would seem that some of them have not just been dismissing basic data security, but also not considering the fundamentals of secure web development as well.
Take the recent TalkTalk problems. A hacker, who it would appear was possibly only a teenager, used a relatively unsophisticated SQL injection technique to hack into and steal a very large amount of data from the TalkTalk website. When the Head of TalkTalk, Dido Harding, was asked if the data was encrypted her response was that she didn't know and reportedly the data taken includes a lot of personal information including addresses and emails and also partial credit card information. TalkTalk seemed to think that the fact that the credit information was unusable in this state was a victory but they are somewhat missing the point.
So let's examine this situation in a bit more detail. This latest attack on TalkTalk's website has come following a number of previous hacking attacks over the last year. This in itself should be a warning shot to the company that they are a target for hackers and that security needs to be stepped up. Why should they care about security? Because the fact is that they hold information about us as individuals that can identify us. That is a key point because it is this point precisely that the Data Protection Act cares about. It is not a big step having taken this initial information to cross reference and hack other sites and very quickly get a much more detailed picture of someone. And even if they can't use the credit card information stored, they have enough information already to steal a personality and cause all sorts of problems.
What should have been done?
There are a couple of major things to consider with this particular situation. The first is the idea that TalkTalk may have been storing personal data in a database that isn't encrypted. This is a problem for two reasons. The first is that, irrelevant of hacking attacks, this means that the party used to maintain that database can easily see actual data whenever they login to the database maintenance software they use. Anyone working for that team, or agency if it is outsourced, has unhindered and open access to all the data and can easily see all of it. Secondly, if someone hacks into the site then they also have complete open access to the data without having to do any work to try and decrypt the data (which without the algorithm would be very hard to do). The fact that Dido Harding was unable to immediately state that the data was encrypted is a worrying sign. Whether or not that turns out to be the case, and it looks highly likely that the data wasn't encrypted, this is an admittance that culturally TalkTalk have a lax attitude to storing personal data about their customers.
So what about the hack attack itself? Well this was perpetrated (supposedly) by a fifteen year old. That, in itself, is not particularly surprising. In this day and age young people are acquiring these skills as a matter of course. But what is noteworthy is that if a fifteen year old boy can casually target a major organisation, presumably with the motivation of making a quick buck or just causing trouble, then a more focussed organisation intent on actually using the data for harm (or publishing it, as others have done recently. This would would cause no end of issues and egg on faces) would probably find this to be child's play. The fact that younger people are gaining these skills is a worrying alarm bell in itself that these companies need to take this more seriously.
The other concern is the technique that was used. SQL injection attacks have been around for quite some time and are not at all sophisticated in terms of hacking. It exploits a weakness in the website build that any decent penetration testing agency (an outfit specifically setup to test for security vulnerabilities in websites and software) would identify within minutes. The fact that this type of attack was successful clearly shows that little or no penetration testing was undertaken on the site when it was built, or that the results of those tests were disregarded as unimportant at the time rather than acted upon. Either way it is a startling oversight considering that personal data was being stored in the database on the site.
A responsible agency
The reality is that any organisation that stores personal data that is unencrypted is not only asking for trouble but is irresponsible. When we, as end users, enter our information into a website we expect the organisation to be operating within a moral and trustworthy code which includes taking the necessary steps to protect our information. We shouldn't have to be savvy and vet a company's credentials in order to trust them. If an organisation undertakes to build these sites themselves then they should not only have qualified developers, who understand security, advising on what is and isn't acceptable but they should also be operating within the understanding that data we give them is private and should be treated with the respect and security it deserves.
Similarly, if an agency has been brought in to develop a site for a company, that agency, if they are even vaguely competent, will be having up front conversations about the nature of the data and how it is going to be stored in a secure manner. Not to do so would be both incompetent, irresponsible and reckless.
At Siteset, whenever we are developing any site or software, the first thing we consider as part of any data storage is what we are storing, how we are going to make that secure and the encryption levels that may be required. Another of the conversations we have routinely with our clients is penetration testing to make sure the build is secure.
The key consideration for any company is 'are we doing enough to keep our client's data safe' and that should be the question no matter what data is being stored. The idea that we only need to care when it is payment data is simply wrong. No matter what data is being stored it is being given based on trust and if it isn't being stored securely then the company shouldn't be trusted. This is an area that should not be negotiable and the reason the ICO (Information Commissioners Office) and the Data Protection Act and security standards exist is for that reason. Any agency worth their salt should act responsibly when it comes to these sorts of issues. This should include explaining to their clients what is required to make sure data and builds are secure and that measures have been taken to protect content and data from attacks. At Siteset this is always our first concern.