Severity of Data Breaches Exposed

Article date: Thu, 21 Jul 2011 17:17 GMT

Stuart Coulson, UKFast Technical Director

Credit card details are as openly available as a pair of shoes on the internet, leaving consumers open to serious fraud and businesses at risk of costly legal action.

A recent investigation by internet hosting specialist UKFast found that relatively simple Google searches reveal valuable collections of personal IDs.

One of the many databases found through a simple Google search by UKFast's security experts flaunts 1,800 valid credit card details processed by an American takeaway, along with names, expiry dates and csc codes. The information is so specific it even provides the distance from the card owners' homes to the takeaway.

Lawrence Jones, MD of UKFast explains: "Criminals are not just selling single card details; they are selling whole identities online, it is a big business right now. There are many sites that sell personal information as openly as you would sell a pair of shoes."

Jones suggests businesses are putting themselves, as well as customers, at risk by not properly protecting data. UKFast's security division monitors security and regularly carries out penetration tests that simulate hack attacks on servers to find any weaknesses and opportunities for improvement. But many companies are oblivious to the fact that storing card and personal details live on a web-server leaves them searchable by Google.

He said: "Businesses are unaware that in risking customer data they may also be breaking the law. Storing confidential information unencrypted, hosting with a foreign provider or hosting with cloud services without knowing where data is stored or how securely it is stored can all contravene the Data Protection Act."

Jones advised internet shoppers on how to protect themselves. "We need to make it as difficult as possible for fraudsters to find out any extra information about us," he said.

"Hobbies and relatives' names act as password clues for many of us yet we still have this information all over social network sites. Having high privacy settings controls who has access to this information. Simple things like having stronger passwords and secure WiFi networks can make all of the difference."

Personal details including date of birth, mother's maiden name, workplace and marital status are available through Facebook, LinkedIn or Twitter profiles. Hackers can use these sites to fill gaps in information and steal whole identities that hold a high value in the cybercrime community.

Stuart Coulson, head of special projects at UKFast says: "Google is very good at indexing, so any indexable back-up files stored on the server, may not be linked to from the website but can still be found through Google and anyone, even without advanced technical skills, is able to find it."

"One of the best ways to test security is to hack your own site and search for the confidential data, this highlights areas you can strengthen to protect customer data," he explains.

"The key is not to have your back up files stored unencrypted and live on the server - this is the most common security failure that I see, and to be honest, it is just lazy. Along with this companies need to check their servers have the best protection possible."

Print this article print this article.Return to Press Releases

Share with: