Lack of security around passwords, emails, usernames, and other personal information leads to another easily preventable, massive data breach.
Last week we saw another major data breach of personal information due to a hacker who gained access to names, email addresses, dates of birth, and passwords protected using hashes and salt. When this story started to pop up in the news we were pretty surprised by what happened. Didn’t this exact same breach happen to LinkedIn nine months ago?
In June of last year LinkedIn suffered a similarly huge data breach and lost 6.5 million hashed passwords. The passwords were posted online and within a few hours over 60% of the passwords had been exposed. Why were these passwords so easy to crack? Because LinkedIn had been “protecting” user passwords using the hash algorithm SHA-1. SHA-1 is a known weak algorithm that is no longer recommended by the National Institute of Standards and Technology (NIST). Today it is a basic industry standard to use the stronger hash algorithm SHA-256 or SHA-512.
In the end, however, LinkedIn’s breach was really more of a headache than a disaster. A class action lawsuit brought against LinkedIn was thrown out due to lack of clear evidence that any real damage was caused by the breach. Where many consumers and data security experts had probably hoped that their breach had been a wake-up call to the e-commerce community, and anyone still using SHA-1 should have upgraded their data security practices immediately, it seems that many organizations have done nothing.
This is so surprising to us, not only because today using better data security such as strong hashing algorithms is considered to be trivially simple, but because in many states personal information such as first and last names, birthdates, and email addresses are considered to be personally identifiable information (PII) under state data security law. Most of these laws provide safe-harbor from data breach notification if a companies protect this information using industry standard tools.
In the end we hope that other businesses take note from this series of data breaches and update their data security.
How can you prevent a data breach of passwords and emails from happening to you?
- Use only an up-to-date hash method such as SHA-256 or SHA-512
- Use a hash based on industry standards - NIST publishes recommendations and standards. Always follow the most up-to-date standards.
- Use salt for an additional layer of security
- Protect the salt from loss or disclosure
- Use two-factor authentication
How can you prevent a data breach that compromises your customers very sensitive data such as credit card information, social security numbers, and private health information (PHI)?
- Use AES Standard Encryption to protect critical sensitive data such as credit card information and social security numbers.
- Use a FIPS 140-2 compliant key management system that implements key management best practices such as dual control, split knowledge, and separation of duties.
- Use a system monitoring tool that will alert you to important changes in your database such as unauthorized access in real time in order to stop suspicious activity before it’s too late.
To learn more about how companies such as LivingSocial and LinkedIn could have avoided a data breach, download the Podcast: How LinkedIn Could Have Avoided a Data Breach.