Through its contact form?
Sounds like SQL injection - have we stepped back 10 years?
Cybercrooks attempted to extort a chain of cosmetic surgeons after hacking into its systems and stealing an estimated 480,000 files stuffed with info about prospective nip-'n'-tuck customers. Computer systems at Harley Medical Group, which has 21 clinics across the UK, were pillaged to loot personal details from nearly half a …
SQL injection is my guess, as well.
I wouldn't expect a surgeon to be aware of the latest developments in web site security, but I would expect that they hired someone who is to develop and maintain their site. However, it seems that a lot of professionals in other industries believe that "any one can make a web site", and worse even those who do hire an expert to build the site do not see fit to have it maintained.
I am not familiar with the site in question, but based on previous experience, it could be 10 years old... or written by someone who was "cheap" and either new to building sites, or an old dog who last learned a new trick 10 years ago.
Almost certainly we have stepped back 10 years to when their contractor initially wrote the website.
SME, "working" website, why would they maintain, update or audit it? If they do anything to it, it will be getting a designer to "freshen" the look and feel, not go through the OWASP checklist.
Personally, I think almost all businesses underestimate the importance of having in house software developers and maintaining custom software. However I might be slightly biased - as a software developer, I suppose I do have a dog in the fight...
My question would be why the hell is a contact form storing stuff in a database?!
The contact form on my company website just points at a hardcoded php form -> email script that I knocked up in about 5 mins when somebody asked if they could have a contact form on the website. Absolutely no client details are stored on the website, you could totally compromise every script on there and still gain nothing.
How do you create your marketing lists or get statistical information from the form regarding the various fields they fill in?
There's perfectly reasonable reasons for having a DB storing the details, just do it properly and use SPs, parametrise the variables or the equivalent.
Surely there was a third alternative?
They should have agreed to pay the blackmailers. Arranged for the handover in an underground carpark (where else?), then some laughing gas and drugs later, the criminals would wake up strapped to a densist's chair in a secluded location. One denist with strong german accent, a bit of giggling and drilling later, and I'm sure they could have got all the information returned, along with a fullsome apology.
Or better yet,
Darkened basement, full of surgery equipment vaguely reminiscent of a scene from Dexter.
The perp wakes up, still groggy from the anesthesia.
Chirpy voiced Surgeon:
Wakey wake sir, hope you don't mind. I had to borrow jus the tiniest bit of tummy fat to acheive the desired effect!
Now won't you be popular in the Scrubs with those beautiful new boobies !
PERP....... AHHHHHHHH, !!!!!!
Nice post, have an upvote. Even if you did point out my speeling miskate. There's 2 typos in my post, and both on the word dentist. Suppressed trauma perhaps? I don't remember anything too bad. Although my dentist when I was a kid did run away to Australia. But that was with £100k of NHS funds, rather than because of anything more sinister. Or so I was told anyway...
This post has been deleted by its author
The Duke of Wellington had the right attitude, chances are the NSA has all the details too so it's only a matter of time before the news leaks out. It's time that we, as a society, stopped allowing ourselves to be held to ransom by every snotty nosed b-steward that wanders along.
We are being held to ransom by our own fears.
The Data Protection Act imposes a legal obligation to keep personal data secure...
But there's very little guidance on how secure.
Partly, that's a good idea: detailed guidance would go out of date very quickly, and this law dates from 1998. So phrases like 'appropriate to the sensitivity of the data' and 'best practice' and 'reasonable precautions' are necessary.
But I think it's time to start grading the data:
● 'Private' - identifying data, names and addresses.
● 'Confidential' - personal conversations and correspondence, purchasing habits, etc.
● 'Under legal privilege'
● 'Places individual at risk of violence'
● 'Places individual at an increased risk of fraud'
● 'Would immediately allow transfers of funds and assets'
● 'Medical information'
● 'Child Protection'
I'm sure that you could think of others: but you wouldn't want to flag up any individual as having information of interest to blackmailers - say, a juvenile arrest for prostitution and subsequent referral to social services - as that 'flag' would be a magnet for criminals and journalists. And, in these times, for officials of the state.
What would the flags do? Well, we'd need general security standards; starting with a minimum standard for private data specifying 'Encrypted data store', 'No passwords ever stored or sent in clear text' and 'Secure sessions'.
Any information at a higher level than 'private' would need a security review of the host system every two years; and the ICO might consider issuing security alerts for high-profile exploits that require confirmation - 'yes, we've patched that' - within ten working days from the registered owner.
The most sensitive data stores would need a yearly audit, to published standards, and a record of patches - with pen-test results - for all security alerts and vulns listed by, er... let me think... some public body that doesn't yet exist. There's probably a group within the Home Office that does this internally for the Civil Service - like the sysadmins at every bank - but I'm not aware that there is a state-sponsored *public* service, in any country.
That's a gap in the law, and an obvious case for the statutory provision of a service, rather than everyone relying on purchasing a service from competing private enterprises.
...There is, of course, a gap between what *should* happen, and what actually does.
The legal framework? This would probably be enacted as 'enabling legislation', in which regulations are 'Laid before Parliament' by the minister - in practice, it's handled by a regulatory agency that maintains and updates a book of regulations having statutory force. Look up the HSE and the Control of Substances Hazardous to Health regulations as the best example of this process.
The Information Commissioner's Office *may* actually have the power to do this already - I'd be grateful if someone here is legally qualified to offer an opinion on that.
Useful Link: The Information Commissioner's Office:
That's the statutory body enforcing the Data Protection Act
Biting the hand that feeds IT © 1998–2021