from the and-somewhere-a-web-designer-shrugs-his-shoulders dept.
lhsi writes:
"The British Pregnancy Advisory Service has been fined £200,000 (€241,000; $334,500) for a data breach.
A hacker had threatened to reveal the names of 10,000 people who had contacted the service, after accessing unsecured data using a website vulnerability, the BBC reports.
"Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn't realise their website was storing this information, didn't realise how long it was being retained for and didn't realise the website wasn't being kept sufficiently secure.
But ignorance is no excuse. It is especially unforgivable when the organisation is handing information as sensitive as that held by the BPAS."
The BPAS has said they believe the fine is out of proportion and they plan to appeal."
(Score: 2, Insightful) by mrbluze on Sunday March 09 2014, @10:12PM
Don't think anything you ever do won't ever be uncovered. Incompetent people are everywhere!
Do it yourself, 'cause no one else will do it yourself.
(Score: 3, Interesting) by xlefay on Sunday March 09 2014, @10:17PM
Websites that store vital and private information such as this should have a security audit regularly. This just smells like incompetence on so many levels.
So here is my question, as per the department line, why does a/the web designer shrug? - Am I correct to assume web designers are now blamed for things they don't have anything to do with? /me shrugs
(Score: 5, Insightful) by Angry Jesus on Sunday March 09 2014, @11:25PM
In this case the "web designer" was contracted to design, implement and deploy a system that collects personal information from the users. The BPAS charity has an obligation under UK law to flow down security requirements for personal information. It appears that whomever they contract with does not have any legal obligation of their own.
However the fact that they did not push back during contract negotiations and require BPAS to come up with a security specification suggests incompetence on their part. They may not have had a legal requirement, but anyone working in that space should have known better. This isn't 1995 -- UK data collection and retention laws have factored into nearly every CRM system for at least two decades now.
(Score: 5, Informative) by frojack on Sunday March 09 2014, @11:36PM
It seems odd to have this type of information on a web site at all, usually contact info from a fill-in form is routed internally (email, or even print) and then immediately deleted, and not kept on the web server at all.
The web designer should have known that this was happening, and may have thought it was secure. Still you have to ask why they would retain that information on the server. A request for a call back has a relatively short life time of usability.
Apparently it wasn't readily available, and the hacker had to break in via some undisclosed vulnerability for which he got 32 months. Still security is something a web designer is paid to consider, especially when dealing with anything even remotely related to medical issues.
No, you are mistaken. I've always had this sig.
(Score: 5, Insightful) by edIII on Sunday March 09 2014, @11:57PM
web designer
That's the problem right there. You are expecting way too much from people, that on average, have a complete lack of any fundamentals.
Your average coffee shop web designer doesn't even understand PHP, and is limited to working with IDE's, adding plugins to Wordpress, and has absolutely no chance of understanding SQL databases, much less mitigating SQL injection attacks.
There is the crux of the problem. In order to mitigate attacks like this you need to first understand the attack surface. A web designer doesn't have a chance in hell of doing this.
If you want a website that has medical data secured you need to hire somebody that, quite frankly, would be a little offended if you called him/her a web designer.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 4, Insightful) by frojack on Monday March 10 2014, @12:41AM
Was SQL even involved?
From what I can read, you filled in a from for a call back and it was appended to a file on the server.
The average Cafe web designer isn't even likely to use SQL.
No, you are mistaken. I've always had this sig.
(Score: 3, Insightful) by edIII on Monday March 10 2014, @02:15AM
Actually, they are likely to use SQL. Very likely. Just not likely to know it at all.
I don't know if this was specifically an SQL exploit, but many people install packages or use scripts on servers that provision databases. I'm not sure you provision one of those Mickey Mouse Wordpress setups without one.
All it takes is a script to create the database, as it's highly likely that a MySQL DB server is running to support other programs running on the server. Add to that a little copypasta here and some copypasta there from web designer blogs and you have a somewhat functional site that has a larger attack surface than OP's mom's butt.
If it was a file appended to on the server, that sounds exactly like what copypasta blog code would do. Dollars to donuts, it even says somewhere on that website to disable the 'debugging' lines in it.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by xlefay on Monday March 10 2014, @08:24AM
Thank, you this is exactly what I meant.
Many people seem to fail making this distinction. Web designers are to actually 'design' a website, write the markup & CSS.. and possibly (though arguably a web developers job) write the JS, if there's any.
Web developers eat a whole different cake and obviously, whoever wrote this website wasn't eating the cool cake.
[note: the cake is a lie.]
(Score: 5, Informative) by MozeeToby on Sunday March 09 2014, @10:59PM
They're not an abortion provider, they're a provider of information about abortion. That's a pretty large difference. They are a donation and grant supported charitable organization providing a volunteer powered information service for women seeking an abortion.
(Score: 3, Informative) by janrinok on Sunday March 09 2014, @11:05PM
Thank you - corrected.
(Score: 0) by Anonymous Coward on Sunday March 09 2014, @11:07PM
If that's the case, the data breach is a lot less shocking than it might be otherwise. It's unlikely they could afford the best of the best to design their website.
(Score: 5, Insightful) by pe1rxq on Sunday March 09 2014, @11:24PM
I don't agree, the data is still very sensitive and should be treated as any other patient data.
The fact that they are a charity is also not a good excuse. If you can't afford to properly handle your patient's data you should be smart enough not the keep it at all.
Besides usually things like this are not about cost, but about competence. Incompetent consultants are not much cheaper than the competent ones....
(Score: 2) by Nerdfest on Sunday March 09 2014, @11:34PM
There really should be laws forcing people to use only unique identifiers for any internet connected patient data systems, with a lookup of matching credentials in offline systems for authentication.
(Score: 5, Insightful) by edIII on Monday March 10 2014, @12:20AM
Perhaps... there should be actual licensing and certification for any Internet connected information system that has medical data, or any data deemed protected.
We all know that web designers are worthless. They are a product of our own success in creating platforms that provide a high level of abstraction. A soccer mom can learn how to piece together a dynamic data driven website in a few months with Wordpress and a few plugins. A plethora of companies that provide all the sysadmin needs to throw up a server which also removes any need for her to understand a rather large foundation that represents a large number of attack surfaces.
15 years ago you really did need to know something to create anything other than a static HTML page. That's not true anymore.
I'm not bashing the web designers here completely, but in so far as security is concerned, it's a massive mistake and gross negligence to expect a suitably secured website. If they want to make a website for a mom and pop pizza parlor, be my guest.
Who makes the decisions too? People that are even more worthless than the web designers... executives. They don't understand anything WRT technology, and come to the conclusion that making a website is not all that hard because the son or daughter of their neighbor was only 17 and made a website for the fall formal or some shit. Instead of paying what you need to pay to get experienced professionals that have a grasp of all the fundamentals, they hire somebody that is nothing more than a glorified user.
You solve this by requiring the executive only choose from certified and licensed professionals, or at a minimum, fine the living shit out of all the executives for operating any website that can't pass a thorough security audit.
Once you introduce accountability, *real* accountability, you will be surprised at how fast those executives refuse to deal with anybody that can't provide references, certifications, and the ability to pass something similar to a PCI-DSS audit.
That may not be appropriate or even desired for all websites everywhere, but it should damn well be required for any website that deals with medically sensitive or deeply personal data.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 5, Insightful) by krishnoid on Monday March 10 2014, @12:50AM
The summary on one technology blog [slashdot.org] intimates that they didn't perform security audits on the site after deployment; if that's true, they're at least partially to blame.
Are there any security audit guidelines in this case for the security requirements that they're accused of violating?
(Score: 4, Interesting) by German Sausage on Monday March 10 2014, @02:00AM
$330,000 for 10,000 user records not protected = $ 33 per record. I think the fine should be proportional to the number of records lost. Perhaps a bit of leniency might be ok for a non-profit organization with limited resources. On the other hand the idea of protecting user information is hardly new.
TJ Max lost 40 M records. Fine them 1.3 billion dollars and they won't do it again.
(Score: 0) by Anonymous Coward on Monday March 10 2014, @02:22PM
Was I the only person to notice the Virgin donation button on the BPAS homepage?
(Oh lighten up, this crappy almost joke was supposed to make you laugh amid all this baby goo, abortions, data breaches, British cuisine and fines.)