If You're Hacked and You're Told It Clap Your Hands...

I am working on a story about a listed retailer with $1 billion+ in annual revenues that has had its website hacked. Despite multiple attempts to contact the compromised business, it is not responding to the security company that identified the issue.

The affected company’s website takes orders from customers; it takes credit card details. Five days after the cybersecurity firm tried to report that the website had a credit card skimmer on it, it's still there and customers are having their details stolen.

This may seem – and indeed is – barking mad. But it is not entirely uncommon.

Companies too often still fail to respond to “white hat” security researchers (sometimes friendly hackers, sometimes major endpoint protection vendors) trying to alert them to issues. Sometimes they’re scared of disclosure, sometimes they think they’re being emailed by a scammer, sometimes they’re just generally sodding useless.

In this day and age, that's unacceptable.

How Can We Avoid This Lunacy?

I want to provide one, single helpful tip* for businesses to avoid this situation.

It’s this: set up a security@ email address.

Make it clearly visible – for example have a “security” button on your website nested under “contact us” – then have your IT team check it regularly. (Or Security Operations Centre provider, or whoever handles security for your business; hopefully some does...)

If lolurpwned@hackrsanonymous or vitaly@whitehat etc. gets in touch to say they’ve noted a security vulnerability on your website or one of your applications, take it seriously, thank them courteously, have your security team double-check it and if it’s a legitimate issue you hadn’t noticed, get patching/remediating, and thank whoever disclosed it, again.

Many will do this and they are not threatening you. (Of course, that happens plenty too). If it is an individual security researcher, you could even send them swag/an Amazon voucher: they disclosed something to you rather than exploiting it. That’s a good thing.

There are a lot of young hackers out there who will do this kind of thing and all they want is a pat on the back rather than being ignored, or worse, facing legal threats.

(If you're getting a lot of this, set up a bug bounty programme, and hire a reputable penetration testing company to simulate an attack on your systems).

You'll still want that security@ email though.

*Needless to say, do the needful too: regular software patching, multi-factor authentication, up-to-date endpoint/cloud/API protection, restricted privileges, etc. The NCSC's Board Toolkit is a good starting point for cyber risk conversations, if your company is not buying in to the idea that the risk is colossal.