The British pub firm Wetherspoons was recently hacked. The hacker got away with names, birthdays, email addresses and phone numbers of over 600,000 people as well as credit card information on a few customers.
The hacker contacted a reporter – a assume to brag, see link below – and said that breaching the site was not complicated and took him around 15 minutes.
Wetherspoons, it attempting to defend themselves said that the attack was against an old company website. They did not say that the data stolen was old. Or test data. It was real and live. Why you would leave an old, apparently unprotected web site online is not clear to me.
The hacker said that he offered the data for sale on the hacking site w0rm and had multiple offers in the range of $750 to $1,000 for it. He said that the data would not sell for much since it did not contain sensitive information such as bank accounts or credit card numbers. Still if he could have sold a dozen copies he would stand to walk away with $10,000 for 15 minutes of work. Add another 15 minutes to post the data for sale and yet another 15 minutes for sending the data to the customer and that translates to an hourly billing rate of a little over $13,000 an hour. I can live with that sort of billing rate.
If he could repeat this trick once per week, at 52 weeks a year, that you bring him an annual, TAX FREE income of close to $700,000.
Any more questions why web sites get hacked? Didn’t think so.
Of course, if the next site had more records, better data or could be done in the same week, he would earn a better income.
From the web site owner’s perspective, if the hacker got into the site in 15 minutes, they did not do a very good job of defending it. They have a little bit of work to do.
Information for this post came from Motherboard.