Companies continue to prove that they can’t protect the data they collect, or even pinpoint where it is
Security experts are fond of describing companies in one of two ways; those that have been hacked and those who don’t yet know they have been hacked.
In LinkedIn’s case, unfortunately, it was both.
It’s 2016 and instead of feeling more secure, the industry is facing an epidemic. Hacking has moved from glory seekers to ominous business plans on a trajectory to an apocalypse.
The LinkedIn situation brings a number of questions to light; are companies capable of protecting personal data, are cybersecurity forensics science or art, do end-users have a claim to future harm given it took four years for this theft to surface and reignite personal risks?
The big losers are always end-users who entrust their data to companies big and small that continue to prove they can’t protect the information they have collected. LinkedIn is only the recent headline punching bag. Others have left an indelible mark including Adobe (152 million records), Ashley Madison (30 million), Mate1.com (27 million), and the United States Office of Personnel Management (21 million).
Hackers, meanwhile, continue to abuse and replay stolen credentials and passwords to attack victims who use the same password over and over again across their accounts. The most popular password in the LinkedIn lot was “123456”.
It’s a perfect storm.
The legal system is beginning to catch up to these tragedies, but progress around protecting end-users is slow and precedence has yet to be established. Courts are tilting toward end-user claims of future harm when their credentials go missing.
The news about personally identifiable information (PII) and passwords is that crooks are coming in the back door and hauling out truckloads of information from databases and repositories that appear to have security configurations designed as part of some fraternity dare. Name, account numbers, passwords, email addresses are all PII, and nearly every company or organization collects and stores this data.
Now, we have episodes like the LinkedIn breach where 117 million end-user records containing passwords (out of 164 million pilfered) appear on the dark web four years after being stolen in a breach the company first said was a loss of 6.5 million credentials.
In 2012, LinkedIn reported in SEC filings it had spent nearly $1 million investigating and unraveling the theft of those passwords and planned to spend up to $3 million more to upgrade security on its social networking site.
Upgraded security may have had benefits, or perhaps hackers were content in 2012 with the hundreds of millions of stolen credentials LinkedIn did not notice were missing.
In 2015, LinkedIn agreed to pay $1.25 million to settle a class-action lawsuit that alleged the company failed to protect the passwords and private information of its premium subscriber customers. This most recent disclosure tells us those allegations were true.
This realization begs a question. What’s going on under the hack covers of all those other companies who don’t yet know they’ve been hacked? What’s missing? What’s at risk?
Security advances, including popular trends around authentication and encryption, clearly are aiming to offer greater protections. Time, innovation, political deals and court rulings will tell if these efforts can change the current story line.
We need to figure out how we store less data protected by better security. Innovators and vendors need to work like heroes to combat these problems; end-users need to cleanup their act and ditch the crappy passwords for better authentication; security needs to finally trump convenience, courts and regulatory bodies need to establish precedents for punishing sloppy cybersecurity; and we need to be vigilant Internet citizens that care about who has our data, and if they can protect it adequately.