Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

Data breach lessons for website owners Neil Sanson
20 July 2016 at 08:41

Wasp morphology

Online client portals can be great for customer service. They can be constantly updated, improved and extended. This flexibility is delivered by a complex collection of software and, unfortunately, complexity easily gives rise to difficulties. The impact of these difficulties can, however, be minimised if you take steps to avoid problems occurring, or respond quickly to them.

One type of problem that can occur on a website is when the system displays someone else‘s information when a user tries to log in to their account. There are many ways this can happen, and the way it happens will determine the impact. The impact can range from seeing someone else’s login identity - a name or an email address - to actually getting access to their account.

We started recording data breaches in 2009. Since then, breaches that allowed some degree of access to other user’s accounts made up 18 out of the 42 data breaches involving websites. These are the ones we know of. We do not know about the breaches that were not reported to us.

Why do these happen?

Websites that give access to customer data are inherently risky - risk that is incurred every time any of the software is implemented or changed.

The software packages that operate together to make the website work (or not work) are individually not simple. And when they are integrated with each other, these packages need to be able to handle just the expected information from users but also any mistakes that can be made. Problems can occur within one of the packages, or when information is transferred from one to another.

Updates also contribute to the complexity of operating websites. Even if the content is not changed, the software packages will need to be upgraded with new versions. Often these new versions remove vulnerabilities that could allow the website to be hacked. Not installing these updates or patches leaves the website open to hackers who might be after the personal information in the system.

What you can do as a website owner

If you have a website, there are steps you can take at each stage of the lifecycle of the website to minimise the problems.

1. Plan well

Ideally, problems are avoided by good design. “Privacy by Design” is a concept that is very useful when considering customer portals.

A tool that can help with Privacy by Design is a Privacy Impact Assessment. This exercise will help everyone understand the risks to the people whose information will be handled by the system. If you are using the Agile methodology, then the preliminary assessment would be conducted as an early sprint.

2. Build using OWASP guidelines

The Open Web Application Security Project (OWASP) has produced guidance for web developers (which it is currently in the process of redeveloping). The OWASP Top Ten represents a broad consensus of the most critical web application security flaws.

3. Carry out tests

After the website is built or re-built, have it independently tested. This is a better way of finding problems than relying on getting a call or email tip-off or complaint from a user.

4. Prepare for disasters

Plan to manage a breach. Despite everyone’s efforts, a breach may still occur. You will be able to cope better if you have planned for the eventuality.

5. Listen to your users

Make it easy for people to report problems to you. In the instances we know about, the users who spot the problem are generally prompt about reporting it to the website owner. The agencies involved have also been prompt at closing down the access until the problem has been fixed. This reduces the risk.

Make sure you have easy-to-find contact details to help the user report the breach or vulnerability to someone in your organisation who will know what to do. Consider having a responsible disclosure policy so that people reporting problems to you are not worried you might blame them.

Image credit: Wasp Morphology by WikipediaProlific

Back