Retailer using WordPress fined £55k by ICO.

data protection breachI noticed a press release by the ICO today that is worth passing on to website owners. Particularly WordPress website owners.

It highlights the need for adequate security and good technical website development when storing clients information as not just “good practice” but as something that can become financially painful if you get it wrong.

“An online building products supplier has been fined £55,000 by the Information Commissioner’s Office (ICO) after the firm failed to protect its customers’ personal information.
On 6 May 2014 an attacker used a common hacking technique called an SQL injection to access 669 unencrypted cardholder details including names, addresses, account numbers and security codes.
An investigation by the ICO discovered the Plymouth-based firm did not have the appropriate technical measures in place to prevent the attack. This is a breach of the Data Protection Act.”

If you store customers data you become a “data controller” and as such you have legal responsibilities to ensure it is held securely from any sort of loss or attack.

In this case two of their domains were hacked by an “SQL injection”, which is a brute force attack and as such should be expected by any website hosting provider, website development company and potentially a website owner.

I believe that once the hacker had access they then changed the website so that any customer details then entered would be recorded and stored by the hackers.

The important technical details:

  • The login pages contained a coding error from 2009 until 2015 when the attack occurred.
  • An attacker exploited this vulnerability in two domains by using SQL injection to gain access to usernames and password hashes for the WordPress section of the site. (read more on WordPress below)
  • The attacker was able to modify payment pages and access 669 unencrypted cardholder details at the point of entry to the website (including name, address, primary account number and security code)

    The ICO decided that;

  • The website owner failed to carry out regular penetration testing on its website that should have detected the error.
  • The website owner failed to ensure that the passwords for the WordPress account were sufficiently complex to be resistant to a brute-force attack on the stored hash values.
  • SQL injection is a well-understood vulnerability and known defences exist.

WordPress problem

Because WordPress is open source it is very popular and easy to install and create – which of course is a good thing, it has become the worlds most popular Open Source website software. The blog you are reading is using WordPress for example. However because it is so easy and free to use it is sometimes used by developers who are not sufficiently technical to build them correctly. It seems this was the case in the unfortunate incident above.

WordPress has a base core code, a styling theme which you overlay on top and then you add modular extensions (plugin’s) to it to enable functionality; move images, add forms, edit pages etc. A lot of these plug-in’s are written by keen non-commercial entities or individuals. They can write them – so they do. Sometimes the quality of code or security considerations are overlooked and they rely on website owners to find the errors and sort it out. Clearly you can’t run a business that way very successfully – at least not for long. (We often have to fix WordPress plugins that don’t work).

The website developers in this case seem to be the website owners themselves who also set themselves up as a website design company. (some diversification!) At time of writing if you are an original website customer of theirs and have an issue you now need use a “FREE, lightweight, reliable, open source, and easy to setup and use” ticketing system to report errors to another agency as they have gone into liquidation.

What can we learn from this?

You get what you pay for.

If you didn’t spend very much on your website it is worth checking if it has been built correctly.

The software that creates websites is very complex. Hackers regularly try to find ways to gain access to websites through databases (most CMS systems run on databases) or via bad coding.

Website developers need to ensure that any website they create is tested for vulnerabilities in the code. The developers should always use the latest version of website content management systems and have update protocols in place to patch any vulnerabilities that may come to light in the future. They also need to implement regular updates to the core coding. It seemed that the error in the above example had been there for about 6 years.

Clients need to understand that they should expect to pay for skilled and experienced web developers to ensure that their websites are technically sound and are up to date. Especially at the initial build stage, but also at regular intervals over the life of the website.

So, do you get what you pay for?

We think so.

  • Ask your website developers what their plans are for updates and security patches for your website.
  • Get your website tested to see if there are any problems.

Please do it now.