In today’s world, most businesses rely on some sort of IT system or etrade platform, but where these are old or unsupported, they can provide an easy access point for cyber criminals. Conversely, overly complex IT systems can also pose issues due to poor patching or where they ‘talk’ to third party networks. Ransomware, DDoS (distributed denial of service) and SQL Injection are some common types of attack on IT systems. The latter, SQL Injection, is an extremely well known and easily avoidable attack that involves cyber criminals exploiting system vulnerabilities, for example by inserting code into the website search bar which enables them to amend, interact and extract from databases.
In October 2015, telecommunications company TalkTalk reported it had been subject to a SQL Injection attack, which enabled thieves access customers’ personal data including names, addresses, dates of birth and financial information. In total 156,959 customers’ personal details were accessed, including the bank details for 15,656 customers. A problem was first identified when internal reports showed its network was operating more slowly than normal. Further investigation found there had been an attack and TalkTalk replaced its websites with a holding page, reported the data breach to the Information Commissioner’s Office (ICO) and started telling its customers. The ICO’s investigation found that TalkTalk had failed to take appropriate measures to keep its customers’ personal data secure and issued its largest ever fine at the time - £400,000.