UK's Racing Post leaks 677,000 customer names and passwords

News by Tim Ring

SQL injection to blame for Racing Post incursion

The UK's data protection watchdog has warned companies to guard against SQL injection attacks after a hacker used this old-school technique to steal the credentials of 677,335 customers of Canary Wharf-based Racing Post.

The watchdog, the Information Commissioner's Office (ICO), announced this week that the unidentified hacker broke into the Racing Post's customer database in November 2013 and stole their personal credentials - including names, addresses, passwords, dates of birth and phone numbers.

The hacker exploited weaknesses in the Post's website code to launch an internet-based SQL injection attack.

Damningly, the ICO's subsequent investigation discovered that the Post - a daily horse and greyhound racing and sports betting newspaper and website owned by Trinity Mirror – had carried out no penetration testing on its site since 2007 and had failed to apply up-to-date security patches.

The ICO ruled that during that time the Post had taken “no steps to keep abreast of security developments” and “this placed the data at an unacceptable level of risk of inappropriate processing”.

It added: “The investigation also determined that the storage of customer passwords as un-salted MD5 hash values was not appropriate.”

But because the stolen data did not include the customers' financial information, the ICO stopped short of levying a fine, which can go up to £500,000, and simply obliged Racing Post chief executive Alan Byrne to commit to a series of security improvements.

The Post has agreed to implement future periodic security testing, introduce secure password storage and make security and other software updates.

In a statement sent to SC, the Racing Post said: “The security on was breached in a sophisticated, sustained and aggressive attack. As soon as we were aware of the situation we did everything in our power to halt the breach. We immediately established that a number of customer accounts had been accessed and requested that all customers change their passwords.

“We contacted our customers as soon as we were aware of the breach and were completely transparent about the situation in all our communications.

“We attach the utmost importance to this issue. We have made substantial changes to our security systems in the last 10 months and will continue to implement the necessary measures to ensure that our customers' information is adequately protected.”

But the ICO is warning other firms to guard against similar targeted attacks. Its head of enforcement, Stephen Eckersley, said: “The Racing Post pulled up short when it came to protecting their customers' information by failing to keep their IT systems up-to-date. This data breach should act as a warning to all businesses that poor IT security practices are providing an open invitation to your customers' details.”
Industry expert Paco Hope agreed that SQL injection attacks are long-established but still effective, and said Racing Post shouldn't be too heavily blamed for falling victim to this method.

Hope, a principal consultant with Cigital, told SCMagazineUK: “SQL injection is one of the top three vulnerabilities worldwide and has been consistently for a decade. The ways not to have SQL injection are very well-known.

“So on the one hand, they are falling prey to the same old thing that everybody falls prey to. But at the same time it's the most common vulnerability because it's really easy to do and so you can't look at them and say ‘you're totally negligent'. It's about how the software was written in the first place.”

Hope said that the solution is not simply IT-based, telling us: “The ICO report mislabels the problem as an ‘IT' problem. Calling it an IT problem would lead people to believe that they can purchase some IT kit or product that fixes the problem, and that's not the case.

“The Racing Post wrote or bought software that was vulnerable to SQL injection, a very common bug. The solution is not to test the software. The solution is to fix the software.

“Building security in requires a lot more than simply testing for bugs. The Racing Post either needs to fix its software, or work with a vendor to have the vendor fix the software."

The ICO has previously blogged with information on how to prevent SQL injection attacks.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews