Friday, March 13, 2009

BT, next victim of SQL injection

BT, one of the world’s leading providers of communications solutions and services operating in 170 countries, was found to be vulnerable to SQL injection. The information of the incident was posted on a hacker's blog few days ago.

According to the hacker, "A faulty parameter, improperly sanitized opens the vault to the precious databases. One can gain access to such ordinary things as personal data, login data... (email, active, lastloggedin, firstname, surname, address, town, postcode, level, randomkey, password) for some of the registered users"

The hacker also claims to have gain access to 37 databases, which he shows all the 37 databases such as BT_Argos and BT_Main to name afew.

But a statement below by BT had rebut on the hacker claims and explains that its production systems and customer data remain safe.
"BT has carried out a thorough investigation of this alleged breach. We have found that access was gained to a test database and therefore no customer details were revealed at any time.

When sites are under test they do not contain live data and are often not included within our secure network until they become operational. BT has developed rigorous, world-leading protection against unauthorised computer access in order to protect customer details and commercial interests. Where a suspected intrusion has occurred BT will act swiftly to ensure our customer data is not at risk.

Our operational systems have not been affected in any way by this attempt to break through our security.

Related report:
- BT rebuts database security breach claims

No comments: