The cost of being hacked

Before I retired to care full time for my wife, I wrote two online bookstores. A few weeks ago the owner of those stores contacted me to ask if I could help him get them back up and running again. On investigation I found that both sites had been hacked, the access codes changed and the databases corrupted. The way these sites are run there is no need to store things like credit card/bank details so apart from basic security, not a lot of attention had been paid to security in depth.

Thanks to good backup routines both sites were back up and running in hours and that was that we though - wrong !!!!

One of the two sites was re-hacked in minutes despite the access codes being changed, the other followed a couple of days later. Time for some serious thought about security. Both sites are run on a commercially available online shop package so there is a wealth of experience on the user forums. It quickly became apparent that this was not an unusual occurrence and there were plenty of examples of what can happen, what to do about it and how to increase security. After a good deal of reading this is what we decided to do;

1. Change all the passwords to the back end of the site making them as strong as we could by using all the available characters (ASCII 0 to 254) and increasing the length of the password making it much harder for brute force hacking programs to discover the username/password.
2. Changing the name of the admin folder and adding extra security to that folder.
3. Making the .htaccess file as inaccessible as possible.
4. Changing the robots file to exclude all the folders we didn't want indexing.
5. Build some custom error pages that report every time a hacking attack is stopped.

So far this has thrown up some surprising information. Hacking probes are there all the time but most of them realise a site is protected and, after a very few attempts, stop trying to get in. A lot of the attacks come from IP addresses owned by large companies but it isn't clear at this stage if the companies are mounting the attack, a disgruntled employee is using the company equipment or the company had been invaded itself by a bot net and was unaware that their computers were being used in this way.

There seems to be three distinct types of probe;

1. A robot that wants to index the whole of the site - these can mostly be stopped or diverted using .htaccess
2. A probe looking for databases and/or customer lists
3. An attack that has recognised which shop is being used and is trying to access the specific files that will reveal the order list, the customer list, payment methods etc. This is by far the most dangerous of the three and the one we need to make most effort to block.

I'm sure some of my readers will by now recognise which company I am talking about and I want to reassure them that to the best of our knowledge none of their financial details can possibly have been lifted by the attackers because the company doesn't trade using credit or debit cards. Likewise although we know the database containing customer list and product descriptions has been destroyed more than once, there is no evidence available at this time that any names and addresses etc have been stolen. However you may find that as we have had to use backups to rebuild the database your account no longer exists. If that is so, please login and make a new one and accept our apologies for the inconvenience.

This sort of action costs business large and small a lot of money in lost time, lost orders and other fees to get sites working again. I know what the criminal hacker is after - they want personal data and bank details. But the hobbyist hacker has me baffled. What possible motive can he/she have for trying to wreck some one's lively hood?