Nearly 20,000 fans of British electro band Faithless have had their personal details stolen, exposing them to follow-up phishing and fraud attacks, according to a report.
Security firm Cyberint caught wind of the attack after it discovered a database on the Dark Web containing details including fan email addresses and passwords for the Faithless.co.uk site.
Even with limited information like this, cyber-criminals could create convincing phishing scams—for example, emails spoofed to come from the site looking to harvest additional details.
The breach itself occurred back in September, but was only confirmed by Cyberint this week, according to The Independent.
It was apparently a simple SQL injection attack—one of the most common around. These are easy to fix, and the vulnerability was locked down soon after by the site owners, but they crucially failed to inform users, according to the report.
“I think they fixed the issue but they didn’t quite go out and tell anyone that, so that leaves their fans, about 18,000 people, unaware that their private information has been compromised,” Cyberint marketing chief, Elad Ben-Meir, told the paper.
SQL injection flaws have been around for over a decade yet still persist. In fact, an audit of over 50,000 enterprise applications by app security firm Veracode discovered that one in five had at least one such vulnerability.
“Organizations can mitigate SQL injection with the right care and attention,” according to Veracode senior solution architect, Paul Farrington.
“All organizations need to be working to gain full visibility into their web application perimeter and run frequent scans on all existing applications to ensure that they remain protected from the threats that new or changed applications introduce, or from newly-discovered vulnerabilities.”
Eduard Meelhuysen, EMEA vice president at Netskope, warned firms that failing to notify European users about breaches of personal data will soon be illegal thanks to the coming General Data Protection Regulation (GDPR).
“Under the GDPR, companies will be required to notify national data protection authorities of a serious data breach within 72 hours. In certain cases, businesses will also be required to notify affected individuals so they can take necessary precautions and remain vigilant to cyber-criminals making use of their compromised data,” he explained.
“Many businesses unused to such strict measures may struggle as they will need to identify not just the breach itself but also the data most likely to have been affected."
IT leaders should be taking steps to ensure compliance now, he advised.
Photo © TheaDesign
Nearly 20,000 fans of British electro band Faithless have had their personal details stolen, exposing them to follow-up phishing and fraud attacks, according to a report.
Security firm Cyberint caught wind of the attack after it discovered a database on the Dark Web containing details including fan email addresses and passwords for the Faithless.co.uk site.
Even with limited information like this, cybercriminals could create convincing phishing scams – for example emails spoofed to come from the site looking to harvest additional details.
The breach itself occurred back in September, but was only confirmed by Cyberint this week, according to The Independent.
It was apparently a simple SQL injection attack – one of the most common around. These are easy to fix, and the vulnerability was locked down soon after by the site owners, but they crucially failed to inform users, according to the report.
“I think they fixed the issue but they didn’t quite go out and tell anyone that, so that leaves their fans, about 18,000 people, unaware that their private information has been compromised,” Cyberint marketing chief, Elad Ben-Meir, told the paper.
SQL injection flaws have been around for over a decade yet still persist. In fact, an audit of over 50,000 enterprise applications by app security firm Veracode discovered that one in five had at least one such vulnerability.
“Organizations can mitigate SQL injection with the right care and attention,” according to Veracode senior solution architect, Paul Farrington.
“All organizations need to be working to gain full visibility into their web application perimeter and run frequent scans on all existing applications to ensure that they remain protected from the threats that new or changed applications introduce, or from newly-discovered vulnerabilities.”
Eduard Meelhuysen, EMEA vice president at Netskope, warned firms that failing to notify European users about breaches of personal data will soon be illegal thanks to the coming General Data Protection Regulation (GDPR).
“Under the GDPR, companies will be required to notify national data protection authorities of a serious data breach within 72 hours. In certain cases, businesses will also be required to notify affected individuals so they can take necessary precautions and remain vigilant to cyber criminals making use of their compromised data,” he explained.
“Many businesses unused to such strict measures may struggle as they will need to identify not just the breach itself but also the data most likely to have been affected."
IT leaders should be taking steps to ensure compliance now, he advised.