Failure to Protect Against SQL Injection Attack Deemed an “Unfair Practice”

Francoise Gilbert

A proposed Federal Trade Commission consent order applicable to Ceridian Corporation, establishes that failure to protect against potential SQL injection attacks is an “unfair practice” actionable under Section 5 of the FTC Act. Despite representations that it maintained “worry-free safety and reliability” and that it had a security program designed in accordance with the ISO 27000 standard, the company’s security system had several flaws. Among other things, Ceridian failed to use readily available defenses to SQL attacks. When a successful SQL attack caused the exposure of sensitive personal information of nearly 28,000 individuals, the FTC initiated an enforcement action.  This action lead to the development of the proposed FTC consent order, which was published on May 3, 2011.

Ceridian operates the Powerpay website, and provides payroll processing, payroll-related tax filing, benefits administration, and other human resource services. Customers enter their employees’ personal information, Social Security numbers, dates of birth, home addresses, bank account and other information on the website. This information is transmitted to Ceridian’s computer network, where payroll amounts are computed, payroll checks are processed, and direct deposits initiated.

Ceridian stored personal information in clear, readable text for an indefinite period of time, and failed to employ reasonable measures to detect and prevent unauthorized access to personal information. Hackers executed an SQL injection attack on the Ceridian system. These deficiencies allowed the SQL injection attack to succeed, and the personal information of individuals to be exposed.

The proposed FTC consent order is consistent with prior consent orders issued in similar circumstances. What makes the Ceridian case interesting is the list of acts and deficiencies that the FTC identifies as having created vulnerabilities and that should have been avoided. The FTC complaint against Ceridian notes in particular the following security deficiencies:

• Storing information in clear, readable text;
• Storing information indefinitely, and for longer than needed;
• Failure to assess the vulnerability of the system to known or reasonably foreseeable attacks such as SQL injection attacks;
• Failure to use readily available, free, or low-cost defenses to SQL attacks; and
• Failure to employ reasonable measures to detect and prevent unauthorized access to personal information.

This list provides examples of the minimum measures that the FTC expects from a security system intended to protect personal information such as financial information or social security numbers. Of note, in particular, is the need to have in place systems and defenses that resist SQL injection attacks and other known or reasonably foreseeable attacks.

The proposed consent decree establishes a 20-year supervision period, during which Ceridian will be required to obtain and provide, or make available to the FTC, on a biennial basis, an assessment and report from a qualified third-party professional, certifying that it has in place a security program that meets or exceeds specified requirements, and that provides reasonable assurance that the security, confidentiality, and integrity of personal information in the company’s custody is protected. The security program must contain administrative, technical, and physical safeguards appropriate to Ceridian’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees. Specifically, the proposed order requires Ceridian to:

• Designate one or several employees to coordinate and be accountable for the information security program;
• Identify material risks to the security, confidentiality, and integrity of personal information and assess the sufficiency of any safeguards in place to control these risks;
• Design and implement reasonable safeguards to control these risks;
• Regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures;
• Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Ceridian;
• Require service providers by contract to implement and maintain appropriate safeguards; and
• Evaluate and adjust its information security programs in light of the results of testing and monitoring, and of any material changes to operations or business arrangements.

For over 10 years the Federal Trade Commission has had an active, leading role in defining the basic requirements for the collection, use, storage, disclosure and protection of personal information. During this period, the consent decrees issued by the Federal Trade Commission have identified the security practices that the FTC deems unacceptable. These consent decrees provide a clear view on the expectation of the regulators.  With Ceridian, it is now established that protecting against SQL injection attacks is an essential, basic, requirement for a reasonable information security program.