Ecommerce Security Essentials
Before Raison I worked as the ECommerce Manager at I Want One of Those.com or IWOOT as we would call it. We were analytical and measured everything. We also kept a close eye on our competitors and their marketshare. We used that information to grow the company. It’s an important part of any marketing strategy.
We watched the rise of a new company that took the online world by storm. I’m talking about MoonPig, the customised gift card company. They moved into the gifts sector with a new angle and they did it well. In 2011 they were bought by PhotoBox and they now have a global presence.
However it doesn’t surprise me that they have put their entire company in jeopardy.
We’ve seen it before when Lush were hacked in 2011. We see it all too often. Ecommerce is a target and ecommerce security is something that is often looked at after the fact.
(As an aside, I’m happy to say Lush now have an awesome new website courtesy of Brighton based Drupal commerce company iKos)
Being prepared is critical. As is having a plan to put into action when things go wrong.
Security risks are business risks
The offices at MoonPig will be hell today. They have two major problems:
- First is they had a vulnerability in their API. Customer details could be easily accessed.
- Second and more major in my opinion, is that this vulnerability was brought to their attention years ago and they had not acted to fix the issue.
If you search for MoonPig on twitter you can see the quagmire they are in. It really seems they made this problem for themselves.
At WordCamp Europe in 2014 I saw a fantastic talk by Securi founder Tony Perez. He talked about the importance of having a security posture. There is always a risk. How you prepare and manage this risk is the key. I will be following the company and see how they ‘manage’ the situation. Here are some of the items I think are important for ecommerce security:
Take security seriously
Because your customers do. We have seen so many large companies have their data leaked, from the 2011 Sony hack to iThemes clear-text debacle. Customers don’t easily forget and place the blame with the company.
A reputation is hard won and easily lost
Listen to your customers
The blog post by the developer who found the vulnerability, Paul, explains that he discovered the vulnerability in summer 2013. I think the biggest security lapse here is the amount of time that has elapsed since then without a solution. Listen and act upon what people tell you.
Be aware of your liability and fines
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
That’s from the Data Protection Act in the UK. There are fines for not securing data. The ICO investigate and litigate against offenders. Again this is all terrible for business. Act quickly.
Whether you are not securing data or have not got your ecommerce PCI compliance in order. Be aware that non-compliance is met with hefty fines.
Customer Service Response is Critical
Do you have a plan to contain the damage if and when you are in a similar situation? It seems MoonPig have not prepared for this situation. Twitter is viral with concern and uncertainty. Trust is being eroded tweet by tweet but they took more than 24 hours to release a comment about the situation.
@MoonpigUK I fear your definition of "safe" might differ significantly from that of your customers.
— Thomas Weilbach (@tweilbach) January 6, 2015
Not sure what to do?
If have read this and am thinking, “Ok I know I need to be prepared but I’m still not sure how”, then talk to a professional.
Last week I wrote about finding WooCommerce Help which is a great place to start. In particular I recommend heading over the Clarity where you can search for security professionals and get their advice.
I’m also on Clarity if you want to get in touch with me. If you are looking for something more long-term then we also offer a WooCommerce CTO position which looks at all aspects of growing your business. And that includes protecting it.
We’ve also got an article all about WooCommerce Security so head over there and take a look at your available options.
Finally, I’ll leave you with the video of the WordPress security talk I saw in WCEU. It is one of the most important videos any WordPress site owner can watch.