SQL Injection Attacks among Threats to Company Data

June 28, 2011

Sony recently received its third major attack by hackers. This attack was claimed by Lulz Security, which claimed to use a simple SQL injection. So, what is a SQL injection? And has your company undertaken a data protection and data security audit that would ensure precautions are taken against an SQL injection, amongst other threats?

An SQL injection, or a “Structured Query Language” injection, is a common technique used by hackers to steal data from within a database. This technique involves a hacker entering SQL commands or code into an input box, such as a login and/or password box, to obtain access to a company’s database.

Typically, when a legitimate website visitor enters his or her username and password, an SQL query is generated from such information and submitted to the database. If the information is verified, the user is allowed access; otherwise, access is denied.

Unless there are mechanisms in place to block input other than names and passwords, hackers can use such input boxes to send their own requests to a database, which, for example, may store customers’ and employees’ confidential and private information that is subject to the Data Protection Act 1998. This may entail viewing information in the database and/or deleting it.

The simplicity of SQL injections and the use of automated tools have resulted in increased popularity in this technique and others that are similar.

A privacy, data protection and security audit is necessary to identify potential gaps and weaknesses in your organisation’s privacy, data protection and security regime, which include vulnerability to SQL injections, and that ensure your company is complying with data protection principles.

McGuireWoods Global Data Security Team

Counseling regarding data protection, including global data breach and privacy issues, is one of the services of McGuireWoods’ interdisciplinary Technology & Outsourcing practice, which provides legal services for business transactions driven by technology. Foremost among our diverse services are IT procurement, outsourcings, e-commerce transactions, data security, and dispute prevention and resolution. Our clients include Fortune 100 corporations, governmental entities, nonprofit organizations, and emerging business enterprises spanning the industry spectrum.