As someone using websites and apps, you might feel they’re like sealed boxes – you can’t look inside at how their software works or how their data is stored, and all you have to go on is trust.
But you shouldn’t be alarmed – it’s very much in the interests of companies and organisations which run websites to keep your information secure.
Sometimes laws and regulations set specific security requirements for organisations to meet. Examples in the UK are the Data Protection Act, and the Financial Services and Markets Act. The ICO (Information Commissioner's Office) has this useful guide on how organisations have to behave with your information.
Security of data stores
The computers and data stores that make up a modern websites and apps are, physically, very secure. They’re not under the desk in an office but in a ‘data centre’: a large building, full of computers and almost no people, devoted to storing servers.
Physical access is highly restricted: no-one can just walk in and fiddle with these computers and stores.
The data on the disks in these computers will likely be backed up (saved) regularly, and backup computers will be available in case some go wrong. The data centre will even have its own backup power-supply.
You might have read news stories about ‘data breaches’. These are the internet equivalent of a major bank robbery: a complex crime that requires skill and planning.
Companies handling a lot of data tend to take security very seriously, but determined criminals will still try to find ways to take advantage of weaknesses or oversights. These sorts of breaches are serious but also very rare.
Often when many people say they’ve been ‘hacked’ or had data stolen or deleted, it’s because somebody else gained access to their account.
Someone might have got their login details — perhaps through a scam, from reading a piece of paper they were written on, or even by being given them.
Other common roots of ‘hacking’ are when people leave themselves logged into a public computer, let someone else use their computer, or have had their computer stolen.
It doesn’t matter how someone else gains access: once they have your login details, they can do what they like.
It’s similar to being broken into after losing your housekeys, or having them stolen – a lock can’t stop someone entering if they have the right key.
What to do about a breach or hack
If you’re worried that your password has been compromised, change it immediately – especially if you use the same password for multiple sites (which we don't recommend).
As advised in the access security section, use a password manager to help you pick strong passwords and remember them.
You should never give anyone else access to personal accounts or data. And remember, no organisation should ever ask your for your password in writing or over the phone.