SQL Injections Continue to Embarrass Big Names

Hacks based on SQL injection techniques hit the news on a worryingly regular basis. It's worrying because despite being discovered well over 15 years ago, as discussed in Vice, SQL injection is just as present in the modern-day landscape of cyber threats.

SQL injection involves hackers (sometimes young "script kiddies" working from online tutorials), exploiting vulnerabilities in web applications, in order to access the underlying SQL databases. This allows them to access data that should be off limits - or even go further than this and delete or change data.

Statistics continue to back up the prevalence of SQL injection techniques. Time and again, SQL injection incidents top various threat lists, including Hackmageddon's Hack Techniques chart. According to Verizon, SQL injection is involved in nearly a quarter of incidents where card details are compromised.

One would think that the need to protect against SQL injection would be painfully apparent to developers and IT professionals by now, but it's clear many are coming up short. Incapsula provides a detailed guide to the SQL injection, containing various suggestions to mitigate against these attacks. Mitigations can include implementing strict user input validations on web apps, and rolling out web application firewalls.

There are numerous organizations that already wish they'd done more to protect themselves. Let's begin with the Illinois Board of Elections.

Election Hacking

SQL injection was implicated in a hacking incident in the run-up to last year's US election. According to The Register, a security breach involving the personal data of 200,000 Illinois voters was due to the exploitation of a SQL vulnerability.

The related database had to be taken out of service for 10 days to recover from the attack. While this wasn't an attack that anyone believes was intended to influence election results, it seems likely that the hackers could have gone further had they chosen to.

TalkTalk UK

TalkTalk is a UK-based telecoms company and ISP. It suffered a major data breach back in 2015 - and the cause was an SQL injection attack.

TalkTalk's incident affected 157,000 customers, resulting in plenty of negative publicity and inevitable reputational damage. Around 16,000 of the worst-affected customers had their bank details exposed in the attack, with over 100,000 losing "sensitive personal data." The company's share price took a hit of 30% at the time.

Archos

Going back a little further, hardware manufacturer Archos was hit by a SQL injection attack over Christmas 2014.

The French company, which manufactures Android tablets and smartphones, fell victim to a hacking group known as "Focus," according to SC Magazine. While this particular hack didn't involve any credit card numbers or banking details, it was still a major embarrassment for the company. The following month, the hacking group posted two batches of 50,000 of the firm's customer details online for anyone to see.

These three incidents are the mere tips of the iceberg - for a threat that's comfortably into its second decade without losing any momentum. It's hard to imagine anyone's seen the last of such reports.