Lessons Learnt From Fine Gael Website Security Issues

The new Fine Gael websitehas been generating a lot of press coverage and social media discussions lately.  From a Fine Gael point of view though, most of that coverage is not the type of coverage they wished for their shiny new website.  Last week Daragh O’Brien blogged about concerns over the hosting of the website in the US and the potential issues surrounding compliance with the Data Protection Act and using providers outside of Ireland and the EU.  That issue was then picked up by a number of media outlets such as The Journal.ie and The Irish Times.  The comments on the Journal.ie piece are worth reading as they go into more detail on the actual issue, while the Irish Times piece has a quote a Fine Gael spokesman from saying that the site was “absolutely secure”.

However, it turns out this was not the case and the site is not “absolutely secure”.   The security of the site was breached over the weekend by a someone, or some people, claiming to represent the anonymous group.  The attack replaced the home page for the Fine Gael website with the following image;

This attack has also gained a lot of coverage with sites such as Politics.ie and Boards.ie discussing the issue at length, while mainstream media has also covered the attack with so that The Examiner and SiliconRepublic.com.  Michele Neylon also has an excellent timeline of the events over the past few days on his blog, which are important to note when learning from this incident.

The first lesson to learn from the above issues is that before you go online ensure that your website is compliant with all the legal and industry regulations pertinent to your website.  If you are an Irish, or EU based, business and you are collecting personal information from visitors to your website then you have obligations under the EU Data Protection Directive.  The application of the directive varies from EU state to state, but if you are based in Ireland then the Irish Data Protection Commissioner’s website contains a lot of good information on transferring data abroad.  You also need to ensure that you have a privacy statement on your website.  If your site is processing credit cards then you are also obligated to comply with the PCI SSC Data Security Standard.

The second lesson to learn is that once your website is online then it is a potential target for hackers.  In general, the more high profile your website the more likely you will be subjected to an attack.  So make sure when engaging with people to build your site that they fully understand the security threats and how to counteract them.  Before going live with the site you should ensure that you seek a reputable security expert to test the site for any potential weaknesses and act upon their findings.  You should also ensure that the website is tested at regular intervals over its lifetime to ensure that it remains secure.

The third lesson is to have an incident response plan in place to ensure the most appropriate steps are taken in the event you are subjected to an attack.  Last week I provided some insight in a CSO Online article on “Incident Response Plan Badly Lacking, Says Experts“.  One of the areas I mentioned in that article is to ensure that you have such a plan in place so that concise, clear and reassuring communication is given to all stakeholders.  If you look at Michele Neylon’s blog post mentioned earlier, you will note that at various times during the incident the information coming from Fine Gael is disjointed.  On one of the updates Fine Gael state “We would first like to let you know that we have confirmed that the integrity of all the data collected is still intact and was not accessed at any point by this outside entity.”   However, it was revealed this morning by the Evening Herald journalist Kevin Doyle that in fact details of over 4,000 people who posted comments to that site were compromised including their names, email address, phone numbers and IP addresses. 

As with everything in life preparation and planning is key to success.  So make sure your incident response plan is appropriate for your needs.  Should you need any guidance on preparing an incident response plan feel free to download our “Incident Response Best Practise Guide” white paper.

UPDATE 11/01/11

There have been some further developments since I originally posted this blog.

After reviewing the data it now appears that details of 2,000 people who submitted comments to the Fine Gael website had their details compromised and not 4,000 as originally thought.  The reduced numbers is due to multiple postings by the same people.

According to news reportsthe FBI is now involved in the investigation.  This is no surprise as the website is hosted in the United States so the crime would be investigated the FBI.  The association to the Anonymous Group by those who breached the website’s security will no doubt inject a little more interest from the FBI into this investigation.

Apparently in a blog post on Forbes the Anonymous Group disclaims involvement with the attack.  This is also backed up by an interesting thread relating to the attack on the group’s discussion forum.  So this may be the work of an individual, or individuals, who are associating themselves with the Anonymous Group simply to grab headlines.  This should also serve as a lesson to those investigating a breach that until all the evidence is reviewed there should be no speculation regarding the motives or the parties involved in the attack.

One question I have not seen anyone ask nor heard any information on is why was the database containing the personal details not encrypted?  Information relating to a person’s political beliefs is deemed as sensitive data under the Data Protection Act.  Any sensitive data that is accessible from the Internet should have the appropriate security controls to protect it implemented and properly tested to ensure that they are working as designed.