Again we learn, that like the old adage “the way to man’s heart is through his stomach”, “the way to a corporation’s data is through their applications”. A hacker announced that he was able to get through to the RBS WorldPay Database via a SQL Injection vulnerability in one of their web applications. This is nothing new.
Last week the CEO of Heartland Payment Systems, Robert Carr, highlighted that it is not just web applications that have the flaws. The breach, that ultimately had more than approximately 130 million card numbers leaked from Heartland’s payment systems, was actually initiated through an unrelated corporate application. This too, was exploited via SQL Injection, allowing the attacker to use the database to get a “position” on the network from which undetectable-malware delivered a sniffer that was installed to collect passing card numbers from the card payment system.
Heartland had many penetration testers and certified security auditors (including PCI QSAs) constantly crawling all over their systems – even after they had learned of the injection attack. They had been reassured that their card data was still safe for many months. Alas, history tells us that they had a false sense of security – until they went looking for the sniffer based on lessons learned in the Hannaford Brother's data breach.
Now – like Heartland – the initial claim of RBS (owners of WorldPay) is that no data was leaked in this recent exploit. How long will it be before we learn otherwise?