Continue We want you to get the most out of using this website, which is why we and our partners use cookies. By continuing to use this site, you are agreeing to receive these cookies. You can find out more about how we use cookies here.

Monday, 21 April 2014

Subscriptions  |  evouchers  |  Jobs  |  Property  |  Motors  |  Travel  |  Dating  |  Family Notices

Cumbrian firms leave themselves open to online attack - investigation

Confidential files are open to view online and major Cumbrian companies have left themselves vulnerable to attack by hackers, an investigation into cybersecurity reveals today.

Tony Wilson photo
Tony Wilson

During a two-hour trawl through websites of some of the county’s most prestigious firms, loopholes were found that would allow hackers to access databases, post abusive messages or view confidential documents.

It also found:

  • A health agency which had left a “private and confidential” transcript online which outlined details of indecent exposure by a Cumbrian health professional, who quit his job in return for keeping the matter out of court;
  • A tourist website that had left a file containing login and password details;
  • A business park and a business quango listed on an Asian hacker’s website alongside guidance on how to breach security on their sites;
  • A large employer which had uploaded hundreds of files including invoices on to its servers – and left them where they could be seen online without any need for a password;
  • A string of smaller Cumbrian companies such as car dealers, hairdressers and gyms who have had websites built in a way that they could be hacked into within seconds;
  • A logistics company whose website allowed access to directories and files that could easily be used by hackers.

The loopholes were found thanks to the expertise of information security consultant Tony Wilson, who advises firms about how to stay one step ahead of the hackers and cybercriminals.

He agreed to show our sister website, in-cumbria.com, how easy it was to gain access to the workings of Cumbrian websites on condition that it did not identify the companies concerned or leave them vulnerable to attack.

Mr Wilson, who runs the Indelible Data consultancy, showed how easy it was to find websites built for local firms and government agencies that leave open loopholes that can be exploited by hackers.

In some cases websites are using old software that is known to be insecure and in others they have accidentally left files and directories where they can be found by anyone with a reasonable knowledge of websites.

A hacker with a point to prove or other malicious intent could use access to a website’s directory to upload files, replace pictures or deface the site.

Another common area was failing to prevent hackers using login screens to enter code to break into the site.

Mr Wilson said: “If you were building a shop you wouldn’t allow it to be done in a way in which a burglar could break in and steal your goods, so why build a website – which is a shop window for the world – in a way that people can hack into it?

“Businesses often believe that website security comes as standard but in many cases it does not.”

in-cumbria.com has informed all the companies about the security breaches uncovered.

Click here for ways businesses can reduce the risk of cybercrime

Have your say

I work in this field, and have done for some considerable time.

The problem is, companies want things on the cheap, they look for the lowest price that gives the best presentation. I have personally been involved with local business that think a well considered security policy is not value for money - many of these companies are exposing themselves not only to the loss of brand (such as loosing customer data or embarasment) but to prosecution under the Data Protection Act. Many consider it an acceptable risk - why not ask your suppliers what their security policy is? They have your data too.... think about it.

Web production has become an industry that is full of many under qualified people, yes they can produce wonderful looking websites, but they don't have the industry knowledge to secure them - a view that is supported by the evidential findings in this report.

It's not just Web production, the number of unsecured Wireless LAN's around the industrial estates or town/city centres is staggering. There is software freely available that can breach many of the 'security' features employed. It is more dangerous to think you are secure when you are not, than having a totally open WLAN.

Securing your data is a specialist task, you either need to take it seriously, or air gap your information (Air gap is a term used to describe a network that has a physical detachment from anything public).

I'm glad this report has come out, it's about time companies/traders took the public's data seriously.
Personally, if I was to find my information was leaked, stolen or became public I would pursue the company who let it go, as far as a criminal prosecution of the Data Controller.

Posted by PaulM on 3 October 2012 at 08:45

Make your comment

Your name

Your Email

Your Town/City

Your comment


News & Star What's On search


Easter - and your favourite treats will be...?

Chocolate eggs

Hot cross buns

Long walks

Time off work

Show Result

Hot jobs
Scan for our iPhone and Android apps
Search for: