Around the number of 770,000 records of personal information consisting of travel insurance clients, names, phone numbers, email addresses, travel dates and prices for policies was stolen around December 18th. Aussie Travel Cover notified 3rd party agents, but did not let their customers or policy holders know.
Investigation led to a hacker named Abdilo, who has mastered SQL Injection, who claims that he did it because he was bored. Information was dumped onto Pastebin. In chat, Abdilo states “It is irresponsible, I do not justify what I do, if you are vuln [vulnerable to hacking] 99 per cent of the time, I am going to steal everything and release it and/or sell it.”
Several customers found out (not by notification from Aussie Travel Cover) and were very disappointed with not being notified that their data was stolen. My research of the Australian Privacy Principals has so far, not shown that Australian companies are required to notify customers of breaches for Personal Information.
SQL injection is by far one of the most effective, easiest, and far-reaching attacks. SQL injection attacks are reported on a daily basis as more and more websites rely on data-driven designs to create dynamic content for readers. SQL injection is a code injection technique that exploits a security vulnerability within the database layer of an application. This vulnerability can be found when user input is incorrectly filtered for string literal escape characters embedded in SQL statements.
SQL Injection is number 1 in the OWASP (Open Web Application Security Project) Top 10 riskiest and most exploited vulnerabilities.
Although SQL injection is most commonly used to attack websites, it can also be used to attack any SQL database.
The first step to performing a SQL injection attack is to find a vulnerable website. One of the easiest ways to find vulnerable sites is known as Google Dorking. In this context, a dork is a specific search query that finds websites meeting the parameters of the advanced query you input.