An e-commerce company stores sensitive customer data, including credit card information. Theyhave recently suffered a security breach, resulting in significant financial loss.(a) Describe a potential scenario where SQL injection is used by cybercriminals to gainunauthorized access to the company's database. (3 marks)(b) How would the principle of least privilege help in reducing the risk of such attacks? (3 marks)(c) What are the implications of storing credit card information in plain text and how can thecompany improve its data storage practices? (4 marks)

(a) A potential scenario where SQL injection is used by cybercriminals to gain unauthorized access to the company's database could be as follows: The e-commerce company has a search function on their website where users can search for products. This search function uses SQL queries to retrieve product information from the database. A cybercriminal could manipulate this search function by entering SQL code instead of a product name in the search bar. If the website does not properly sanitize user input, this SQL code could be executed by the database, potentially giving the cybercriminal access to sensitive data. For example, the cybercriminal could use a SQL statement like "1=1; SELECT * FROM Customers" to retrieve all customer data. (3 marks)

(b) The principle of least privilege (PoLP) is a computer security concept in which a user is given the minimum levels of access necessary to complete his/her job functions. In the context of this e-commerce company, applying the PoLP could mean that only certain trusted and trained employees have access to the sensitive customer data stored in the database. This would reduce the number of potential targets for cybercriminals. Additionally, if a cybercriminal were to gain access to an employee's account, the damage they could do would be limited by the privileges of that account. (3 marks)

(c) Storing credit card information in plain text is a major security risk. If a cybercriminal were to gain access to the database, they could easily read and misuse this information. This could result in significant financial loss for the company and its customers, as well as damage to the company's reputation. To improve its data storage practices, the company should encrypt sensitive data. Encryption transforms data into a code that can only be accessed with a key. Even if a cybercriminal were to gain access to the encrypted data, they would not be able to read it without the key. The company should also consider using tokenization, which replaces sensitive data with non-sensitive equivalents, known as tokens. (4 marks)