You’ve been hacked.
The realization settles in the pit of your stomach. Your mind reels with questions, and you wonder just how much this’ll cost. You’ve been hacked. There’s nothing you can do now.
Once a field for pranksters and jokers, hacking has become a multi-billion dollar industry. Crunching the numbers, over seventeen million Adobe Commerce (Magento) sites (83% of all Magento sites worldwide) are vulnerable to cyber attack. That accounts for almost 132 billion dollars in revenue. Hair-raising? Yes, but let’s fix that.
Indeed, the time to start thinking about what to do in the unfortunate event of a data breach is before the data breach. You most likely have a detailed data breach plan. If you don’t, you need to draft one now. Once a plan is drafted, the temptation is to declare: Mission accomplished.
It isn’t. Employees come and go. Regulations change. Internal systems are switched out for new internal systems. Comprehensive data plans — complete with a clear picture of who in your enterprise is responsible for what in the minutes, hours, days, week and months after the breach — need to be updated. Constantly. Think every six months.
Unfortunately, data breaches are here to stay. In fact, as eCommerce becomes a bigger percentage of overall retail, breaches are likely to increase. More online activity results in more personally identifiable information being passed to and stored by more websites and hackers know that as well as anybody.
Consumers are rarely in a forgiving mood when it comes to being a victim of a breach, whether a retailer is ultimately responsible or not. In fact, 52.8% of consumers surveyed by Signifyd said they would tolerate no more than one bad experience before deciding not to shop again with an online retailer. While the question did not expressly mention a data breach, it’s hard to imagine a worse experience than having your personal information stolen.
Contact Your Developer, Hosting Provider, Organizations
Reach out to certified professionals to address your issues and concerns. Companies familiar with Magento, Shopify, and other enterprise eCommerce platforms are able to secure internal and customer data to prevent the next data breach or other cyber attack. Being informed now is the best preventative measure, and could save your business upwards of millions in valuable data as well as even more in lost revenue.
But when an attack is already under way, or a data breach has been noticed, it’s time to act. Most small or midsize online stores use reputable hosting providers. These hosting services frequently have security experts on staff armed with server-scouring tools that can help identify and root out malware and site spam.
The moment that you know your site has been hacked, contact your hosting provider.
If you have an on-staff developer or contracted development company specializing in eCommerce (y’know, kinda like us!), inform them as soon as possible. Developers do a lot to help find malevolent bits of code, discover potential access points, and update/maintain your security extensions to avoid further problems. In general, developers can take care of security issues not found on the hosting level.
For example, one common sort of hack that uses uploaded images to find code might be discovered by running a ‘find command’ on a Linux-based web server. Some security professionals might know to check this, but to quality developers, it’s second nature.
We know, how could that be the answer? But once developers are working to fix the problem, it’s important to minimize further damage. If your site has been hacked, duty demands you prevent further issues from harming customers, compromising your business reputation, and hurting your site’s ranking in search engines.
It may sound extreme, but sometimes the best thing a merchant can do is to take the site offline temporarily. Many good eCommerce and publishing platforms have a way to take a site down for maintenance. This prevents further damage or breaches while giving developers and security experts time to sort out the problem.
It may also be beneficial to customize the 503 message on your site, offering customers a phone number to call if they have questions about an order, or send out a discount code for free shipping when the site returns.
Manage the Fallout
Perhaps the most painful, yet important part is dealing with the aftermath of the attack. Studies have shown that the sooner a breach is contained and communicated to the general public, the less damage occurs. This allows customers to change their passwords, be informed, and see how professionally your company is able to switch gears to address a critical issue. We’re not saying it’s a great PR moment, but sometimes doing the right thing is also the most difficult.
This is also an excellent time to reassess your current data protocols. When was the last time you ran a code audit? What went wrong? How can I prevent it next time?
These are the questions you should be asking as you educate your employees on best practices and look toward the future. If a data breach has left you unsure of your next direction, or this is the first time it’s happened to you, consider speaking with a strategist to assess the best path to better sales success next quarter.
Once you’re aware of a breach, there are a number of steps you should take. In summary:
- Determine the scope and cause of the breach.
- Take immediate action to protect any vulnerabilities involved. Consider taking part or all of your site offline until you understand the full scope of the attack.
- Be prepared, within 24 hours, to notify all affected parties of the breach, after consulting with legal advisors.
- Include clear instructions to those affected regarding what happened, what information was leaked, what those affected can do to protect themselves from further harm, what your company intends to limit the possibility of a future breach.
- Be clear about who at your company data breach victims can contact and how they can contact them.
- Consider offering the affected customers free credit monitoring.
- Work closely with your legal advisors and law enforcement when appropriate and seek their guidance each step of the way.
Data is precious and valuable. It’s a commodity in our modern world, and there’s good reason to be concerned about caring for it. With the right tools, there’s no need to fear for the future. Be prepared, speak with the right people, and stay on your security maintenance. It’ll pay off in the long run.