Data breach exposes 5900 Shell customers

by Steve Ragan - Mar 18 2009, 15:00

Oil giant Shell is warning customers in New Zealand and Australia about potential security risks after their information was exposed in a Web site attack. Shell is warning 5900 customers that personal information was exposed after someone broke into a Web site that housed credit applications for Shell fuel cards.

Data breach exposes 5900 Shell customers (IMG:Shell Oil)

The breached Web site, maintained by a contractor for Shell, was breached on or around February 17. The data accessed is related to credit applications. According to Shell, 1400 New Zealand customers were affected as well as 4500 in Australia. “Shell can confirm that information provided by applicants when making online applications for Shell Card was obtained by a third party following the unlawful "hacking" of a contractor's website.” Paul Zennaro, a spokesman for Shell Australia, told The Tech Herald via e-mail.“This [is a] criminal matter and has been referred to Police. The information obtained is equivalent to what would normally be found on business cards and cheques - including company names, address details, email addresses and some bank account details.“Shell took the step of contacting all applicants, whose information may have been stolen, encouraging them to take additional precautions in coming weeks and months. The company advised precautions such as greater vigilance of bank account statements and also particular care when receiving unsolicited phone calls.“Shell regrets this incident and is taking every reasonable step to make sure it cannot happen again. The company has asked Shell card applicants that if they become aware of any breach of their security, they should immediately contact local police.”It is unfortunate that the data was exposed. Yet, as seen with past breaches, when contracting data storage, collection, or processing out to a third party, businesses must hold that company to the same strict standards of protection that they would expect of themselves.Shell would not comment on the method of attack, or the name of the breached contractor, but, based on past examples of similar attacks, it is a high probability that SQL Injection was used.

Comment on this Story

Interested in a more interactive TTH? Join our Facebook Group
Want regular updates from The Tech Herald? Follow us on Twitter

Comment on this Story

Note our older Talkback system is still running below. We hope to import existing comments into the new system shortly. Guest posting is still allowed, however, you can now login with any number of social network accounts.

Talkback

Add your comment (no registration required)

page: 1

RichardMar 19th, 2009 - 08:56:53

What a rediculous and highly speculative conclusion to draw re: the nature of the attack. SQL Injection attacks against a contractor for Shell would be highly unlikely to succeed, unless the contractor was an absolute amateur and had zero knowledge of the most basic attack vectors.

Why not just say you dont know and leave it at that??

Report this comment

SteveR-TTHMar 19th, 2009 - 12:55:28

@Richard

'...based on past examples of similar attacks, it is a high probability that SQL Injection was used.'

Look at the past examples of how data like this was exposed.

Shell said a 3rd party hosted the data accessed.

Shell confirmed it was an online credit application.

The data accessed had to have been stored in a database, of which the largest platform is SQL.

Those three bits of established fact, plus the knowledge of SQLi and the motives of the criminals who use it, led me to make the comment of probability. However, for all anyone knows the data was stored in a clear text file. Yet, I still say database, as I want to give Shell a little more credit.

Thanks for taking the time to comment.
-Steve

Report this comment

RichardMar 19th, 2009 - 22:21:10

@Steve,

The 3 'established facts' you point to merely suggest a high probability that a database was used to store the information. That's all.

Because you have no other facts, you must therefore guess at the contractor involved, guess at the technologies involved, guess at the motives of those involved and guess as to the nature of the attack. With so much guessing required I fail to see how a high probability of anything can be deduced.

Who is to say the attackers even went through the front door? The mere fact that prior attacks have in many cases, used SQL injection attacks, would in my opinion reduce the likelihood that such an attack would continue to work against a company like Shell. Database and platform vendors have spent considerable time, energy and effort over the last 3 years educating developers on best practices regarding web application development, particularly in the area of SQL Injection attacks.

With a 3rd party contractor involved, and therefore a likely need to cross a Shell to Contractor systems boundary, its just as likely that the attack occurred as the result of some improperly secured end point. In other words, I'd suggest it's more likely to have been some simple operator oversight than it is to be a gaping hole in the applications design.... especially when considering the players involved.

In the end I might be wrong, and you might be right, or we could both be wrong. Either way, considering they are based on an almost total absence of facts, there is nothing 'highly probable' about any of our speculations .

Report this comment

ScottMar 20th, 2009 - 03:29:13

Seriously, I think you two don't have enough work to do!

Report this comment

arcanaMar 20th, 2009 - 04:33:24

For some reason i find scotts comment funny. This reminded me of how kaspersky ( a well establish security company ) was hacked via sql injection.

Report this comment

page: 1

Add your comment (no registration required)