Key learnings from high profile corporate website attacks

10 June 2019 | SMB, Digitalisation, Cybersecurity | 7 min read

Leading cyber security agencies are warning that future cyber-attacks will not only be more disruptive, but more destructive, with the potential to damage the reputation and day-to-day activities of businesses unprepared for an attack.

On May 14 it was reported that a hacking attack against a high profile Japanese retailer had reinforced fears that the global cost of cybercrime could reach a staggering $6 trillion by 2021.

The retailer reported that there were more than 460,000 unauthorised logins to registered accounts via a hack where user IDs and passwords are potentially leaked from other services. Typically, it occurs when people use the same password for different online accounts.

As a result, the retailer requested all online customers to use different passwords for different services and avoid easily guessed or commonly passwords.

Locally, a health-related / charity organisation became a victim of hackers when the personal data of nearly 4,300 potential blood donors was “leaked”, as reported by The Straits Times on May 16.

It was reported that these potential donors’ names, contact numbers, email addresses, declared blood types, preferred appointment dates and times and preferred locations for blood donations were left exposed.

Unfortunately, it was something as simple as a weak administrator password that was believed to have let the hackers in.

Singaporeans were shocked when it was revealed that a vendor had improperly put online the personal information of more than 800,000 potential blood donors. This followed a cyber-attack in July 2018 when the private data of 1.5 million patients were compromised.

The shared result of all these hacks is a potential loss of reputation and trust. On top of customers' important data being compromised, the leaks further increasing the chance of other cyber-crimes.

The most common fragile points in cybersecurity are weak passwords, malware and a lack of protection around website applications and infrastructure. 

The common thread in these hacks are weak passwords. Businesses and customers have been warned for years – if you make your password “password”, your data is unsecure.

This was borne out in research by the UK’s National Cyber Security Centre which confirms that many people still don’t treat their personal online safety as a serious issue. In fact, most people the Centre surveyed used “123456” as their password, followed by their names, their favourite football team or pop band, or their favourite superhero (Superman was number one).

It's not just about passwords though. Businesses with an online presence need their websites secured to protect their customer's data. Hacking attacks can be directed at your business website. Potentially, any web-based application can be targeted.

For businesses, any cybercrime that is linked to their brand is a devastating blow to their reputation, especially in terms of protecting their customers’ private data. Business needs to think about a comprehensive protection solution that moves beyond passwords.

Completely securing your website without expert help is difficult. Even building your website on commonly used platforms like WordPress isn't completely secure. Cybersecurity service provider, Trustwave, has noted an increase in attacks specifically targeting WordPress. In most cases, these attacks are focused on outdated plug-ins or developed by third party vendors. While WordPress allows different plug-ins to enhance the platform's functionality, you need to be sure of their quality and security.

In 2018, Trustwave tested a variety of web applications for vulnerabilities. It found 100% of those websites had at least one weak-spot. Some of these vulnerabilities can be harmless, but others can cause major headaches for business owners. Retail website attacks are mainly aimed at e-commerce transactions and even Point-of-sale systems. Being responsible for customer's credit card information being leaked isn't great for your reputation. 

While not all vulnerabilities will be exploited, just understanding where security is lacking will help you find the right cybersecurity solution.

For all businesses, cybersecurity solutions need to be cost effective, easy to install and have a track record of providing a high level of protection.

Singtel’s Web Application Security Services are a web security and performance services featuring web application firewall, web accelerator, visual defacement monitoring and website restoration.

Essentially, the solution offers pre-emptive protection by:

• Detecting and stopping malicious attacks or software from reaching your web servers. 
• Utilising the latest threat intelligence so your website is always protected as new threats are discovered.
• Securing web servers so sensitive information such as company data, employee information or customer details, is always safe.
• Using a web application firewall to protect your websites from vulnerabilities, ransomware, zero-day attacks and DDoS attacks which can take your website offline.
• Improve page performance and save bandwidth costs by leveraging on Singtel's globally distributed delivery network.
• Detecting unauthorised changes or defacements on your website, before your customers do, through automated monitoring.

Latest series threat intelligence constantly guards your website even when new vulnerabilities are discovered.

So-called web defacement, where hackers exploit website security weaknesses to “deface” websites – change words, scrawl across them, taunt site owners – often for political purposes, is on the rise. Web defacement in Singapore was up nearly 17% in 2017, according to the Cyber Security Agency of Singapore’s Cyber Landscape Report.

Singtel’s web defacement protection helps business avoid reputation damage by alerting the owner to unauthorised visual changes to a website in real time. Even if you are hacked, Singtel can restore your original web presence using a secure replica to ensure no downtime, helping to maintain the good reputation of your brand.

Your business reputation can be your biggest asset, so it’s worth protecting. By investing in cybersecurity now, you’re safeguarding business data before a hack occurs.