This article originally appeared in Information Security Buzz on November 13, 2018.
Hackers have been found exploiting a critical security vulnerability that affects a GDPR plug-in for WordPress to take control over vulnerable websites according to security researchers at Wordfence.
Alex Calic, Strategic Technology Partnerships Officer at The Media Trust:
“These attacks show that bad actors are always on the lookout for vulnerable third parties that serve multiple websites. WordPress was good to remove the plugin and patch the security issues. More than 100K websites have installed the plugin to stay compliant with GDPR, which requires companies to obtain consumers’ explicit consent before collecting and processing their information. But GDPR also requires that companies adopt organization-wide security protocols to safeguard this information and meet data mapping requirements. This means, website owners and operators should also do two things: first, know who among their internal teams and third-parties access and process this data and, second, protect that data from falling into the wrong hands. The latter includes updating and applying patches to whatever technologies they use, which are likely provided by third parties. Unfortunately, most website operators remain unaware of who and how secure all their third parties are. This is their biggest source of risk because third-party code suppliers are popular targets among bad actors.”