I read about Hershey’s web site compromise in this morning’s paper: “Hacker targets Hershey recipe”, and couldn’t help but wonder, why? Why hack into a website, only to change a recipe involving chocolate? What’s the point?
Clearly, there may be more to the story than we know. The movie-watching, suspicious part of me speculates that the recipe change was merely a cover-up for some more nefarious purpose. Hershey admits that the site stores consumer name and address information, so perhaps that consumer data was stolen. And there is the possibility that this website was simply a jumping-off place for hacking further into the network. We may never know, which is why we should all be very careful about handing out our personal data.
As a consumer, the lesson-learned is this: always weigh the benefits against the potential risks — before you provide a website with your personal information. Is that chocolate recipe really worth the increased risk of someone using your email for spam (or worse, identity theft)?
For businesses, this hack highlights the importance of accurately identifying the scope of an incident. If something similar happened to your company, do you have confidence that the team can accurately identify how deep the compromise went? Can the security team successfully implement security measures to prevent reoccurrence?
The Hershey website hack seems like a simple case of teenage-hacker-showoff tactics. For similar hacks within your business, can you prove it is nothing more?