Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Who is responsible if a website is hacked?

Options
  • 26-06-2017 12:02pm
    #1
    Plates
    Registered Users Posts: 925 ✭✭✭


    Hi all,

    I'm helping out a small charity who have a basic website. They received notice from the hoster that the site was taken down due to being hacked and advised a list of files that needed to be cleaned before it would be put back online.

    The files were fixed by their website designer and the site went back online.

    Within a couple of weeks the site was hacked again and the hoster advised it was being taken offline again.

    Who typically holds responsibility for protecting the site from being hacked - is it the hoster or the designer - or does it depend on the circumstances?

    Neither the hoster nor the designer are taking any responsibility. Any advice would be appreciated.


Comments

  • Options
    #2
    ForstalDave
    Registered Users Posts: 612 ✭✭✭ForstalDave


    Plates wrote: »
    Hi all,

    I'm helping out a small charity who have a basic website. They received notice from the hoster that the site was taken down due to being hacked and advised a list of files that needed to be cleaned before it would be put back online.

    The files were fixed by their website designer and the site went back online.

    Within a couple of weeks the site was hacked again and the hoster advised it was being taken offline again.

    Who typically holds responsibility for protecting the site from being hacked - is it the hoster or the designer - or does it depend on the circumstances?

    Neither the hoster nor the designer are taking any responsibility. Any advice would be appreciated.


    Depends on the contract you have with both, the designer should design a safe site but you have to ensure its updated or they are contracted to keep it updated, Typically a hoster is not responsible for security of a site unless you pay for extra security and even then there is only so much they can do.

    You could always changed to a managed site where a company would design and host it thus giving them total responsibility


  • Options
    #3
    Fysh
    Moderators, Arts Moderators, Regional Abroad Moderators Posts: 11,056 Mod ✭✭✭✭Fysh


    If you/the charity don't know who's responsible for technical maintenance on the site, odds are good nobody is doing this. The site designer might be willing to do this but it has to be viewed as separate additional billable work (and should be planned for in case an update breaks existing functionality, etc). Otherwise they should have someone designated with the responsibility for monitoring the site for updates, along with a defined method for requesting maintenance windows and a set of tests to apply after patching to verify everything is working as expected. This method should also describe how to handle emergency security fixes that can't wait.


  • Options
    #4
    i71jskz5xu42pb
    Closed Accounts Posts: 1,806 ✭✭✭i71jskz5xu42pb


    Plates wrote: »
    Who typically holds responsibility for protecting the site from being hacked - is it the hoster or the designer - or does it depend on the circumstances?

    It depends on the circumstances. It may be that the designer is using a content management system that is not secured properly. Likewise this infrastructure may be provided by the hosting company.
    It all likelihood however it's one of these two parties who are at fault. Whether they've contractually signed up for this responsibility is another question.


  • Options
    #5
    Dravokivich
    Moderators, Category Moderators, Music Moderators, Politics Moderators, Society & Culture Moderators Posts: 22,360 CMod ✭✭✭✭Dravokivich


    Just because some one made a website and some one else had somewhere to put it, doesn't mean responsibility for security is assumed to lay with one or the other.

    IT Security is a completely separate role.


  • Options
    #6
    Plates
    Registered Users Posts: 925 ✭✭✭Plates


    Thanks for all the replies. Will get a copy of the contracts and see where we stand.


  • Advertisement
  • Options
    #7
    seamus
    Registered Users Posts: 68,317 ✭✭✭✭seamus


    As others say, it depends entirely on where the security is at.

    Think of it in terms of a shopping centre and a shop. The management of the shopping centre have a duty to ensure that the centre itself is secure, but the security of individual units comes down to the person running that unit.

    In this analogy, the "unit" is your website, and the "shopping centre" is the server(s) on which your site is hosted. If your website is compromised due to a flaw in the website itself, then it's the company's problem. If the server itself has been compromised, that the hoster's issue.

    In this scenario, which I've encountered before, the hoster has detected that the site has been compromised through a common backdoor and has taken the site offline to protect themselves. They're protecting their own reputation (so they're not seen as a source of malicious traffic), their bandwidth and the rest of their customers.
    You'll probably find the T's & C's allow them to do this.

    However, fixing the site is the company's responsibility. Whether the designer themselves is responsible depends on the agreement you had with them. If you asked them to deliver a website, that doesn't automatically mean they have an ongoing responsibility to patch and secure that website.


  • Options
    #8
    ED E
    Registered Users Posts: 36,167 ✭✭✭✭ED E


    TBH this sounds very like a fire and forget wordpress.


Advertisement