5 Key Learnings: eCommerce Website Hacked


Author: Teemu M.
Date: 08.09.2015
Read Time: 5 Minutes

It’s an exciting time to work in eCommerce, as the business continues to skyrocket. Yet, when there is money to be made, criminals are soon to follow.

The online retail industry is a prime target for cybercrime, with its fair share of smaller attacks and notable cases, such as the Magento hack. In fact, a recent study found that a 64% percent of breaches in the retail sector were due to a compromise in the eCommerce environment.

This is not surprising as eCommerce websites are rather lucrative for the cybercriminals. Firstly, eCommerce websites process your customer’s money, which by itself is lucrative for the criminals. Secondly, every transaction can yield several types of customer data that is directly associated with credit cards, making various scams and frauds easier to conduct.

So, it’s not ‘just’ a website you’re running there, you’re on your part directly responsible for your customer’s financial and personal security. Which is why many say that: “Running a website brings responsibility. Running an estore brings even greater responsibility.”



Naturally, there is more to it than just being the good guy and protecting your customers.

Firstly, many eCommerce sites are directly linked to the company’s back-end systems for CRM, data processing and logistic/supply management, making it a prime attack vector to your more well-guarded business networks.

Another factor is the loss of trust to your business. In eCommerce business, trust is your most important currency – it is critical to earn, convey and maintain trust in order to ensure your business’ success. In fact, a recent study showed that more than 40% of online shoppers would COMPLETELY STOP to purchase from a company that had compromised their online data.

Nor is it the trust of your customer that will impact you, but it is also Google’s trust in your site. The search giant is continuously scanning the web for malware and phishing scams. In case it finds something suspicious on your site, for example malware, your site will be put on the dreaded ‘blacklist’, effectively killing your online business.

And where Google goes, many security companies are soon to follow. Once Google has blacklisted a site, many security vendors will also block the site, further reducing the number of visitors and the trust to the site.

Finally, as an eCommerce website you are most likely dealing with credit cards, which means you will need to comply with the PCI standard. In case you are attacked and found non-compliant, you are going to be in some very hot waters.



A medium-sized French eCommerce site was hacked back in 2014. In many ways it’s as close to a textbook example as it gets, though sadly, it did cause company severe financial losses (approximated to be around 25.000e), in addition to a legal hurdle due to the credit card fraud.

From what we know about the attack, it seems that it happened through an employee who fell to a malicious email containing an embedded link with an XSS (cross site scripting) attack that hijacked the employee’s online session and stole her account information. Her account was then used to insert malicious code into a plugin handling payment transactions.

The attack went unnoticed for weeks, as thousands of fraudulent charges were racked up using stolen customer credit card information. Three weeks after the attack, a Google scan flagged the site due to suspicious activity and the site was blacklisted, causing a drop in daily visitors close to 90 percent. As the site administrator realized what happened, he took the site offline for cleaning and recovery, which was a big undertaking for the few administrators running the site – in addition to getting back to their previous position in the search engine rankings.



  1. GET THE BASICS RIGHT: There is nothing new in the way how the estore employee got infected, meaning that a modern security solution with a strong email and spam protection will take you far. Additionally, having two-factor authentication would have made stealing those account information harder.
  2. CHOOSE A SECURE ECOMMERCE PLATFORM: In addition to the other selection criteria that you have for your eCommerce platform, make sure you also evaluate its security, paying close attention to PCI compliance and SLL Certificates. Many platforms also offer additional security features, such as fraud and DDoS prevention.
  3. MONITOR YOUR SITE TOGETHER WITH THE HOSTER: As the case run undetected for weeks, it’s clear the system was not monitored properly for malicious activity. Having the rights tools to monitor the site of suspicious behavior (in addition to marketing related statistics like usage, click etc.) is the real-world equivalent of having security cameras in your shop. Additionally, make sure that your hoster regularly monitors their servers for malware, viruses and other harmful software.
  4. KEEP YOUR SYSTEMS UP-TO-DATE: Whenever there is a new patch available, make sure you implement it immediately. These include the updates to your web server (usually done by hoster), in addition to your other software and plugins, such as Java, WordPress, Joomla, ZenCart etc.
  5. STAY PCI COMPLIANT: When dealing with credit cards, PCI compliance is the name of the game, as it will make you harder to breach and will reduce the extend of the damages in case you ever get hacked (as opposed to getting literally all the blame, and the legal and financial burden, by default due to not being compliant). PCI compliance is not a one-off thing, you must regularly perform checks that your site is not vulnerable to hacking attempts.



This blog post is the fourth of a series of posts [Part 1], [Part 2], [Part 3],where we look at the real-life attacks against businesses. It is inspired by our upcoming eBook (also part of an ongoing series), called: CYBER SECURITY DEMYSTIFIED: Securing Business Operations. You can get the ebook from here: Read eBook

One thought on “5 Key Learnings: eCommerce Website Hacked

Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s