The Information Commissioner’s Office (ICO) has published a report highlighting the eight most common IT security vulnerabilities that have resulted in organisations failing to keep personal data secure.
“
” was published on 12 May and draws upon the experiences of the ICO in its casework, including those instances where it has issued monetary penalty notices against organisations for breaches of the seventh principle of the Data Protection Act—the requirement to keep personal data secure. It focuses on those issues that occur in the online environment and ignores those issues where the threat to the protection of personal data is relatively low, for example, the exposure of script debugging error messages.
The top vulnerabilities identified are a failure to keep software security up to date, a lack of protection from SQL injection, the use of unnecessary services, poor decommissioning of old software and services, the insecure storage of passwords, failure to encrypt online communications, poorly designed networks processing data in inappropriate areas and the continued use of default credentials including passwords.
Such vulnerabilities resulted in, for example the
after the details of service users were compromised due to the insecure collection and storage of the information on their website and the
after the company failed to keep its software up-to-date, leading to the details of customers being compromised during a targeted attack
.
