0345 2413052
Blog
blog
by
Telephone0345 2413052

Retailer using WordPress fined £55k by ICO.

data protection breachI noticed a press release by the ICO today that is worth passing on to website owners. Particularly WordPress website owners.

It highlights the need for adequate security and good technical website development when storing clients information as not just “good practice” but as something that can become financially painful if you get it wrong.


“An online building products supplier has been fined £55,000 by the Information Commissioner’s Office (ICO) after the firm failed to protect its customers’ personal information.
On 6 May 2014 an attacker used a common hacking technique called an SQL injection to access 669 unencrypted cardholder details including names, addresses, account numbers and security codes.
An investigation by the ICO discovered the Plymouth-based firm did not have the appropriate technical measures in place to prevent the attack. This is a breach of the Data Protection Act.”

If you store customers data you become a “data controller” and as such you have legal responsibilities to ensure it is held securely from any sort of loss or attack.

In this case two of their domains were hacked by an “SQL injection”, which is a brute force attack and as such should be expected by any website hosting provider, website development company and potentially a website owner.

I believe that once the hacker had access they then changed the website so that any customer details then entered would be recorded and stored by the hackers.

The important technical details:

  • The login pages contained a coding error from 2009 until 2015 when the attack occurred.
  • An attacker exploited this vulnerability in two domains by using SQL injection to gain access to usernames and password hashes for the WordPress section of the site. (read more on WordPress below)
  • The attacker was able to modify payment pages and access 669 unencrypted cardholder details at the point of entry to the website (including name, address, primary account number and security code)

    The ICO decided that;

  • The website owner failed to carry out regular penetration testing on its website that should have detected the error.
  • The website owner failed to ensure that the passwords for the WordPress account were sufficiently complex to be resistant to a brute-force attack on the stored hash values.
  • SQL injection is a well-understood vulnerability and known defences exist.

WordPress problem

Because WordPress is open source it is very popular and easy to install and create – which of course is a good thing, it has become the worlds most popular Open Source website software. The blog you are reading is using WordPress for example. However because it is so easy and free to use it is sometimes used by developers who are not sufficiently technical to build them correctly. It seems this was the case in the unfortunate incident above.

WordPress has a base core code, a styling theme which you overlay on top and then you add modular extensions (plugin’s) to it to enable functionality; move images, add forms, edit pages etc. A lot of these plug-in’s are written by keen non-commercial entities or individuals. They can write them – so they do. Sometimes the quality of code or security considerations are overlooked and they rely on website owners to find the errors and sort it out. Clearly you can’t run a business that way very successfully – at least not for long. (We often have to fix WordPress plugins that don’t work).

The website developers in this case seem to be the website owners themselves who also set themselves up as a website design company. (some diversification!) At time of writing if you are an original website customer of theirs and have an issue you now need use a “FREE, lightweight, reliable, open source, and easy to setup and use” ticketing system to report errors to another agency as they have gone into liquidation.

What can we learn from this?

You get what you pay for.

If you didn’t spend very much on your website it is worth checking if it has been built correctly.

The software that creates websites is very complex. Hackers regularly try to find ways to gain access to websites through databases (most CMS systems run on databases) or via bad coding.

Website developers need to ensure that any website they create is tested for vulnerabilities in the code. The developers should always use the latest version of website content management systems and have update protocols in place to patch any vulnerabilities that may come to light in the future. They also need to implement regular updates to the core coding. It seemed that the error in the above example had been there for about 6 years.

Clients need to understand that they should expect to pay for skilled and experienced web developers to ensure that their websites are technically sound and are up to date. Especially at the initial build stage, but also at regular intervals over the life of the website.

So, do you get what you pay for?

We think so.

  • Ask your website developers what their plans are for updates and security patches for your website.
  • Get your website tested to see if there are any problems.

Please do it now.

 

Google has started the cull… Are you in danger?

Google made its latest major algorithm change on April 21st this year and will now be using mobile friendliness to rank websites shown in searches on mobile devices.

Although we have been advising our clients on this subject for a while now this is the first time that it has been officially imposed by Google and can really make a difference to your Google ranking. For some companies, this big change has seen a fall in search engine driven traffic to their website and ultimately their online enquiries.

This shift has cemented what we have always advised our clients about – when you have a website, it is mandatory to keep up with the latest technology and trends to make sure your online activities don’t affect your business adversely.  Quite to the contrary, this major change in Google policy of displaying websites presents an opportunity to businesses that are willing to grasp it properly and use it to their advantage – getting more traffic from their mobile device friendly website.

HOWEVER, not all is lost, majority of existing websites can be made responsive without having to have a whole new website developed at a huge cost.

It is simple to check how ‘mobile friendly’ your website is by just using this link; https://www.google.com/webmasters/tools/mobile-friendly/?utm_source=wmc-blog&utm_medium=referral&utm_campaign=mobile-friendly

If you find that your website does not pass the test, why not give us a call on 01746 769612 to speak to one of our friendly team and find out how we can help.

J Kelsall Builders Merchants LLP, Launch Brand New Website

small-Andy,-Trevor-and-Ivet
Andy Hartshorn Managing Director of J Kelsall Builders, Ivet King Sales Manager of Clickingmad and Trevor the Border Terrier

J Kelsall Builders Merchants, have launched their brand new website this month showcasing their wide range of building supplies. The website also features kitchens and bathrooms which they can design and supply to customers. The professional looking website has been both designed and built by well established website design agency: Clickingmad Ltd, based in Shropshire.

J Kelsall Builders Merchants, founded in the 1950’s, is an independent, family-run business, based in the West Midlands. Their website displays some of their product ranges including timber, sheet materials, aggregates, plumbing supplies and many more categories which can be seen at their onsite trade counter. Their smallest member of staff Trevor, the Border terrier is the author of Trevor’s Blog featured on the website to keep visitors up to date with all the latest news.

Ivet King, Sales Manager at Clickingmad comments ‘This was a very exciting website to work on and the high quality images throughout the website make it look very professional. We loved meeting little Trevor when we went out to visit Kelsalls and his blog reflects the personal and friendly nature of the company.’

Andy Hartshorn, Managing Director of J Kelsall Builders Merchants said ‘Clickingmad have produced a fantastic website for us and their management of the project was second to none. We are very pleased with how the website has turned out and Clickingmad have guided us through the whole process. We will continue to work alongside them on our website to ensure it works as best it can.’

The launch of the new website is set to display their extensive range of products and allow customers to browse online. Its responsive design means it can be accessible to customers who are also on the move and can be easily navigated on a mobile device.

Their new website and Trevor can be seen on www.jkelsallbuildersmerchants.co.uk
Clickingmad’s website can be seen on www.clickingmad.com