How to tell of data breach
- Thread starter Darren Jaskowicz
- Start date
A data breach can happen in many different ways.
If you have a website which stores customer details in a database, then that database could be hacked (either through a script weakness, poor server setup, or through somebody obtaining acess passwords)
If you store personal data offline, then your home/office pc's could be infected with malware giving hackers access to your data
If you have staff, then they could leak customer details out of the work environment
Lots of different ways to have a data breach but that's just a few of the most likely ones.
The whole point of GDPR is to get you (as a data controller) to evaluate how your data is stored - does someone manage it for you (data processor) and if so what measures have they taken to achieve compliance for example.
If you have a website which stores customer details in a database, then that database could be hacked (either through a script weakness, poor server setup, or through somebody obtaining acess passwords)
If you store personal data offline, then your home/office pc's could be infected with malware giving hackers access to your data
If you have staff, then they could leak customer details out of the work environment
Lots of different ways to have a data breach but that's just a few of the most likely ones.
The whole point of GDPR is to get you (as a data controller) to evaluate how your data is stored - does someone manage it for you (data processor) and if so what measures have they taken to achieve compliance for example.
Upvote
0
I am sure others have also wondered about this, here is the picture we all have websites some ecommerce some not but lets say an ecommerce website. The web site is obviously hosted by a hosting company using an ssl and your database is on their server. How do you know if the data breach has occurred on the server which you as the web hosts customer can only get certain access to?
As the web hosts customer do you need some kind of information from your web host about how they are GDPR compliant because I host with several web hosting companies and I have yet to be told any information by any of them as to how they are dealing with my data that they host.
As the web hosts customer do you need some kind of information from your web host about how they are GDPR compliant because I host with several web hosting companies and I have yet to be told any information by any of them as to how they are dealing with my data that they host.
Upvote
0
It's something we've worked extensively on as a host and a design company for last few months - feels like I've read every resource out there !
Still updating content on our sites all the time, but we are detailing all our policies and outlined how and where data is stored, how we manage it and how we protect against any breach.
An SSL isn't a guarantee against a data breach at all - it protects someone snooping on transmission between a browser and a server but it is no protection against someone getting access to unencrypted data through a site hack
A lot depends on the individual host and how much protection and monitoring they have on their servers. e.g we have real time file upload scanning on the server so we are constantly alerted if something suspicious happens and can nip potential data breaches in the bud before they come an issue and we get alerts if cPanels are accessed from an unusual IP address
However, the end user needs to ensure that they have as much protection on their sites as well e.g Wordfence for Wordpress etc and to ensure they use secure passwords. This may fall under the responiability of their webdesign company (who act as a data processor as well!) or themselves if they manage the site themselves.
Still updating content on our sites all the time, but we are detailing all our policies and outlined how and where data is stored, how we manage it and how we protect against any breach.
An SSL isn't a guarantee against a data breach at all - it protects someone snooping on transmission between a browser and a server but it is no protection against someone getting access to unencrypted data through a site hack
A lot depends on the individual host and how much protection and monitoring they have on their servers. e.g we have real time file upload scanning on the server so we are constantly alerted if something suspicious happens and can nip potential data breaches in the bud before they come an issue and we get alerts if cPanels are accessed from an unusual IP address
However, the end user needs to ensure that they have as much protection on their sites as well e.g Wordfence for Wordpress etc and to ensure they use secure passwords. This may fall under the responiability of their webdesign company (who act as a data processor as well!) or themselves if they manage the site themselves.
Last edited:
Upvote
0
To answer the specific question about SSL. Paid SSL (as opposed to free letsencrypt) include various levels of insurance, the more expensive ones have more cover. All these basically cover you for is that if the SSL is circumvented and doesn't do its job,.
Your SSL certificate simply encrypts the data between the client and the server, thus if someone is intercepting the data (man in the middle attack) between client and server, they will only get the encrypted data.
If you have not employed proper security procedures, and you get hacked through your own negligence, or through any of the methods mentioned above by ryedale, then this is nothing at all to do with the SSL. After May 18th, you could technically get a very large fine if you did get hacked and were found not to be GDPR compliant.
In the case of a website, you need to make sure that it is being properly managed and kept up to date if you are running off the shelf software. The reason most websites get hacked is that nobody is managing them at all. Most people just stick the website online and forget about it. A lot of people mistakenly think their hosting provider is managing their website and keeping it secure, which is wrong, they are just providing the hosting.
Your hosting provider should have malware scanning on the server itself, but this will only detect files uploaded to the server after the fact (same as it works on your local machine), it will not detect an infection of your actual website itself, which works very differently as this is injected into the pages or the database. Your host will only be aware of your website being hacked if someone else complains to them about it, at which point they will just switch it off.
the security and maintenance of your website is up to you, and you have to take preventative measures, such as Sucuri, which is what I use for my clients.
Your SSL certificate simply encrypts the data between the client and the server, thus if someone is intercepting the data (man in the middle attack) between client and server, they will only get the encrypted data.
If you have not employed proper security procedures, and you get hacked through your own negligence, or through any of the methods mentioned above by ryedale, then this is nothing at all to do with the SSL. After May 18th, you could technically get a very large fine if you did get hacked and were found not to be GDPR compliant.
In the case of a website, you need to make sure that it is being properly managed and kept up to date if you are running off the shelf software. The reason most websites get hacked is that nobody is managing them at all. Most people just stick the website online and forget about it. A lot of people mistakenly think their hosting provider is managing their website and keeping it secure, which is wrong, they are just providing the hosting.
Your hosting provider should have malware scanning on the server itself, but this will only detect files uploaded to the server after the fact (same as it works on your local machine), it will not detect an infection of your actual website itself, which works very differently as this is injected into the pages or the database. Your host will only be aware of your website being hacked if someone else complains to them about it, at which point they will just switch it off.
the security and maintenance of your website is up to you, and you have to take preventative measures, such as Sucuri, which is what I use for my clients.
Last edited by a moderator:
Upvote
0
Sorry can we get off the SSL bandwagon I only mention that in this scenario to highlight in my question that the customer who has his website hosted has implemented good practice by having an ssl attached to his domain name.(I know what an SSL does FYI)
My query is this so person has purchased domain name, implemented ssl to show good practice has a database hosted with hosting company, if a breach happens whose fault is it because the domain name that the web hosts customer has purchased is in his name and database is attached to domain name and hosted by a customers hosting company who becomes at fault?
I still wonder how they can figure out who is at fault if say the customer and the customers hosting company both have the same information which is obviously linked by the database. Do people who breach things add notes to the breach saying FYI we got this from the customers database hosted by such and such a company, or we breached Mr so and so's computer to get this info. I don't think it's that black and white.
This to me is a very grey area, what if it was taken from the database on the hosting companies side and all they do is deny this has happened to take pressure off themselves. We all know how tech companies love to pass the buck. Keeping in mind that perhaps the customer only has certain access to his web hosting companies servers.
I use wordfence myself for wordpress sites and always the paid for version so everything is done in real time.
My query is this so person has purchased domain name, implemented ssl to show good practice has a database hosted with hosting company, if a breach happens whose fault is it because the domain name that the web hosts customer has purchased is in his name and database is attached to domain name and hosted by a customers hosting company who becomes at fault?
I still wonder how they can figure out who is at fault if say the customer and the customers hosting company both have the same information which is obviously linked by the database. Do people who breach things add notes to the breach saying FYI we got this from the customers database hosted by such and such a company, or we breached Mr so and so's computer to get this info. I don't think it's that black and white.
This to me is a very grey area, what if it was taken from the database on the hosting companies side and all they do is deny this has happened to take pressure off themselves. We all know how tech companies love to pass the buck. Keeping in mind that perhaps the customer only has certain access to his web hosting companies servers.
I use wordfence myself for wordpress sites and always the paid for version so everything is done in real time.
Upvote
0
Unless there is an agreement in place for the host to maintain the client's site for them then it's the client's duty (or their webdesigners) to ensure that the site system e.g wordpress is patched and up to date. A host can ensure a server is secure as possible but if a client is using an insecure, outdated plugin for example with no firewall built unto the site or if they are loose with their passwords, then hackers will be into that account and the database
Given one server can host hundreds , if not thousands of sites, it's unrealistic to expect the host to be responsible for the content of sites. In a lot of cases, the host won't even know what is running in a client's hosting package.
What they can be responsible for is ensuring the server is locked down enough to ensure a breach can't spread past the affected account and that they then have established protocols for responding to the breach when it is discovered.
A breach can always be traced (sometimes more easily than others) and the reason identified.
Given one server can host hundreds , if not thousands of sites, it's unrealistic to expect the host to be responsible for the content of sites. In a lot of cases, the host won't even know what is running in a client's hosting package.
What they can be responsible for is ensuring the server is locked down enough to ensure a breach can't spread past the affected account and that they then have established protocols for responding to the breach when it is discovered.
A breach can always be traced (sometimes more easily than others) and the reason identified.
Upvote
0
A key problem stems from the fact that only a tiny % of employers/employees/business owners have the level of IT skills required for due diligence ref data breach issues, and even then who has the resources? fewer still!
In a very real sense 'valuable' information wants to be free by 'popular demand'
One thing is for sure, sloppy security and poor employee relations means you are heading for 'breach city' in a neon taxi
Ref will you get an email
... probably not, or at least not until after the damage has been done!
In a very real sense 'valuable' information wants to be free by 'popular demand'
One thing is for sure, sloppy security and poor employee relations means you are heading for 'breach city' in a neon taxi
Ref will you get an email
... probably not, or at least not until after the damage has been done!
Last edited:
Upvote
0
Latest Articles
-
What I Wish I'd Known Before Using AI in My BusinessSomewhere between the headlines promising AI will transform everything...- Ozzy
- Updated:
-
Is AI Making the Internet Worse?It started with a comment about music. @JEREMY HAWKE , a courier...
- Ozzy
- Updated:
-
The AI Divide: What UKBF Members Really Think in 2026Every few months on UK Business Forums, a thread appears that refuses...
- Ozzy
- Updated:
-
When the Algorithm Gets It Wrong: What eBay's AI Moderation Problem Tells Us About Platform RiskA thread appeared on UKBF this week that, on the surface, looks like a...
- Ozzy
- Updated:
-
Should you crowdfund? A framework for UK founders in 2026Three articles into a series on what crowdfunding actually costs, the...
- Ozzy
- Updated: