If there’s anything the recent Equifax data compromise calamity has taught us, it’s that all of us—143 million and counting, in fact—need to be more acutely aware of the dangers and consequences of hacks that expose personal information to the virtual world. Names, social security numbers, addresses, emails, bank account details and, of course, credit histories were laid bare in the latest attack, once again reminding us of the fragility of having so much information floating around a digital universe.
For website owners, managers, administrators and users whose sites gather and, perhaps, store customer data, the Equifax crisis should absolutely serve as a wake-up call. Would you know what to do if your site was hacked and the personal information of your loyal customers stolen? Would you know how to contact your users and let them know what happened? Do you have any safeguards in place to prevent the breach in the first place? How about a plan to get up and running quickly after the attack? These are all questions you should have answers to if you’re operating an e-commerce or other type of site that gathers personal data.
So, in light of this most recent breach, here are some procedures to have in place should your site be compromised and your user’s data exposed.
Of course, the first and best steps to take are to prevent a hack in the first place. This means:
- Keeping all your core programs, platforms, scripts, plugins and themes up to date with the latest versions. These versions almost always contain the newest security fixes and additions.
- If you don’t have “add on” security programs or plugins, get them and install them immediately. Platforms like WordPress come with built-in security protocols, but too often they don’t go far enough in protecting your site.
- In previous columns we’ve stressed the importance of using “HTTPS” as opposed to just “HTTP.” The former gives your users the peace of mind of seeing those five little letters, and if yours in an online store you must absolutely get an SSL certificate that will encrypt your customer’s data.
- If you have a web form that allows users to supply information, nefarious individuals can insert code into those fields: it’s called SQL injection. To prevent this use parameterized queries, which ensures your web form has parameters that are narrow and constricted enough to prevent hackers from breaking through.
- This should be a no-brainer: make sure your passwords are incredibly secure. Nothing would be more embarrassing and cause more harm to your site’s reputation than if a hacker was able to breach your site simply by guessing your admin login information. So have an impossible to guess password and, if other people have access to the inner workings of your site, be sure they’re using strong passwords as well.
Whereas it’s easy to preach about how to prevent an attack and the loss of personal information, knowing your responsibilities as a website site owner or e-commerce site administrator is a bit more complicated. Consider this: in the State of California there’s a statute known as the “breach notification law” (other states have enacted similar laws). Basically, the law requires that business owners immediately disclose data security breaches to all a state’s residents if “an unauthorized person obtained, or is reasonably believed to have obtained, their unencrypted personal information.” For website owners that have been hacked, the notification must be given as quickly as possible. In addition, (and this the scary part), companies that fail to properly secure the personal information of their clientele may be held liable in civil court should that information be compromised and said customers suffer personal damages as a result.
Additionally, getting hacked due to poor security protocols can have deeper implications: your business loses revenue due to the fact that users have lost trust in the safety of your site. Therefore, if you’re site is hacked and customer’s personal information is compromised it’s vital you call in web security experts to help: this can help restore any lost faith from your client’s that may have occurred. Also, you can initiate some steps on your own to minimize downtime:
- Identify and document everything you know about the hack. Determine if you can still log into your admin panel; see if your site is being redirected to another URL; search your pages for links that you don’t recognize; and investigate whether or not search engines such as Google are marking your site as “insecure.” Having this list of problems will be vital later on in the process.
- Check in with your hosting company, many of which have user support staff that are experienced in dealing with hacks. Follow their instructions and, in some circumstances, the host will clean up the problem for you and recommend measures you can take to avoid a future hack.
- Restore your site from the backups you (hopefully) have been making since the day your site went live.
- Examine your site and delete any inactive themes or plugins, as this is often where hackers locate the “backdoor”—the place where they were able to bypass authentication safeguards and access the server covertly—that allowed them to compromise your site in the first place. Then scan your site completely for any and all hacks using a free plugin such as Sucuri WordPress Auditing or Theme Authenticity Checker.
- Lastly, change your passwords again. And be sure to change them for every section you access via a password: at your main log in; at the cPanel/FTP/MySQL; and anywhere else that is password protected. And be sure that, when you change your passwords, you use strong ones that are hard or impossible for a hacker to guess, i.e. a random combination of letters (both upper and lowercase), numbers and symbols.