back to article Watchdog bites hotel booking site: Over 3k card details slurped

Hotel booking website Worldview Limited has been fined £7,500 over a security breach involving its website that allowed hackers to swipe the full payment card details of some 3,814 customers. Sensitive data was accessed after the unidentified attacker exploited a SQL injection flaw in Worldview website to access the firm's …

  1. Crazy Operations Guy

    "a less sever fine that didn't run the risk of putting the company out of business."

    They should go out of business. Simple problems like this need to stop and they won't until someone starts making an example of the offenders. And a fine of £7,500? The company won't even notice that, hell I wouldn't have a problem paying that fine myself. At least make the fine much greater than the cost of fixing it (and then if they fix the issue, provide a discount equivalent to what they spent doing so).

    1. Robert Helpmann??
      Childcatcher

      Re: "a less sever fine that didn't run the risk of putting the company out of business."

      The article mentioned that the amount of the fine was based on the company's situation so presumably the idea was to allow the company to continue but be proportional to the size of the company. I think it might be effective to make fines of this nature based on a simple percentage of overall corporate income (both on- and off-shore). and multiply it by the total number of times they have committed the act to be punished within the past year. Extend that check an additional year for each recent violation and we might have a workable way to discourage misbehavior of this sort. Fines might be used to purchase some technical expertise for the company to keep it from happening again in the case of a second offense.

  2. Anonymous Coward
    Anonymous Coward

    fuckwittery of the highest order!

  3. DrStrangeLug

    Including the 3 digit security code?

    Er, according to most payment providers I've seen they're not allowed to store that.

    1. Crazy Operations Guy

      Re: Including the 3 digit security code?

      Indeed, the 3/4-digit security code is supposed to be entered every single time and never stored and used as an extremely basic 2FA method. Otherwise what is the point of its existence (Well, its a piss-poor attempt at fraud prevention, so really it shouldn't in the first place and instead be replaced an actual OTP token)?

  4. Anonymous Coward
    Anonymous Coward

    SQL Injection!!!

    Sorry but there is no excuse for SQL injection flaws, they've been around since the first website talked to a database and the resolution is very simple input validation.

    The developer who wrote the App code should be tarred, feathered and sacked.

    The IT manager who never bothered to run a simple website testing tool should be forced to wander the streets with a sandwich board saying "I don't know what I'm doing"

    And the CEO that employs these muppets and doesn't think about their customers security, simple bullet to the head.

    And if Worldview is a one man operation...just do all 3.

    1. gnasher729 Silver badge

      Re: SQL Injection!!!

      I've never done any SQL programming (although I did quite a bit of work with dBase in the day, and with CoreData nowadays). So when I heard of SQL injections, I thought there was some magical cleverness going on...

      The reason I thought it had to be really clever was because I just couldn't imagine that anybody would be stupid enough to take user entered data and make it part of a command that is sent to the server in textual form. But they are! I would have thought that it would be trivial to write a function that takes _any_ string that a user might have entered, and generate a string literal representing exactly that string in SQL. So when I first read a proper explanation, I almost lost the believe in humanity.

      1. Evil Auditor Silver badge

        Re: SQL Injection!!!

        Never underestimate the stupidity of users developers.

      2. the spectacularly refined chap

        Re: SQL Injection!!!

        The reason I thought it had to be really clever was because I just couldn't imagine that anybody would be stupid enough to take user entered data and make it part of a command that is sent to the server in textual form.

        When you put it like that it sounds obvious and it's the kind of thing you would do automatically when programming in a mature, compiled language - validate and convert to internal form on input and do whatever conversions are necessary on output. However is gets a lot less clear with a lot of the web languages, which invariably seem to be designed to make it easy to cobble something together rather than aid solid, dependable coding. For example, user input is stashed in variables before your script even runs, variables are dynamically typed and you often need the same data in multiple formats. It is often less than clear what is potentially troublesome.

        That alters the vulnerable area from something small and well-defined to something much larger and raggedy. Simple mantras such as "quote all strings, job done" don't cover all the bases. Other quantities such as integers may well need handling differently, however in a dynamically typed language what you just know is an int may well in fact be a crafted string unless safeguards are put in place to guard against that.

        So the mantra becomes "quote all strings, half the job done". You've still got a lot of work to do the find and weed out the rest of the vulnerabilities. All of a sudden doing the job properly doesn't look quite so trivial.

        1. Kubla Cant

          Re: SQL Injection!!!

          "validate input" - certainly worth doing, but not a protection against SQL injection.

          "quote all strings" - emphatically not. This implies that user-entered values are still being used to cobble together a SQL statement by string concatenation.

          The safe way to protect against SQL injection is to use prepared statements and parameters. There is no way that parameter values can be converted into SQL commands, regardless of quotation marks*.

          * Unless your database is a Walt Disney production, or you're using some kind of "execute immediate" feature, in which case you deserve whatever you get.

  5. Evil Auditor Silver badge

    £7'500?

    ...but the ICO was required to consider the firm’s financial situation...

    So, if you're bad business people you get away with such "fuckwittery of the highest order"*?

    *thanks, AC

    1. Fatman
      FAIL

      Re: £7'500?

      So, if you're bad business people you get away with such "fuckwittery of the highest order"*?

      What the hell do you expect coming from the job creators??

      Some Mangler was more likely worried about the reduction in his annual bonus, than spending the $$$ to do it right from the onset.

      ONLY appropriate icon -------------------------------------------------------------------->

  6. Anonymous Coward
    Anonymous Coward

    PCI compliance?

    What a joke!

    1. FlatEarther

      Re: PCI compliance?

      How so? If they were PCI compliant they would not have been storing the keys AND they would have been doing PEN tests to detect the SQL Injection vulnerability.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like