Unless you’ve been living under a rock, you’ve heard all about the massive Target data breach. After all, it’s hard not to take notice when the personal information of 110 million people is stolen. However, such massive breaches are rare. Far more frequent, are smaller, less well-known and often unheard of breaches that impact organizations worldwide every day. While these breaches may not be on the evening news, their relative impact on the people affected by them is equally harmful.
Over the next few weeks, we’ll profile a few smaller-scale, high-impact breaches and share our insights about what went wrong and how these breaches could have been prevented. Although these incidents occur on a regular basis in the US, below is an example of one prominent targeted attack that put more than financial records at risk in South Africa.
Targeted breach – South African Police Service, 2013
Anonymous is responsible for jeopardizing the lives of thousands of individuals after revealing the identities of users of an anonymous whistleblowing website that is run by the South African Police Service (SAPS).
As a result of a simple SQL injection, roughly 16,000 records dating back to 2005 were exposed, exported and posted to a website hosted by Anonymous. Details obtained included the names, addresses, phone numbers and email addresses of whistleblowers. Since the website is hosted outside of South Africa, authorities were unable to shut it down. Subsequent to the incident, thousands of informants and their families became easy targets for vengeful criminals.
Considering that the database was easily hacked, people are concerned that SAPS isn’t following strong security measures.
Expert insight: In order to prevent SQL injections, security administrators should implement input validation techniques. By doing so, user input is authenticated against a set of rules that regulate input length, type and syntax. Additionally, organizations should create application-specific database user accounts and grant users access permissions to the database with the lowest privileges possible.
For more recent examples of cyberattacks, check out our recap of recent incidents here: bit.ly/1hIE8VU.
