Townsend Security Data Privacy Blog

Looking Back on 2015 Data Breaches

Posted by Michelle Larson on Jan 5, 2016 8:08:00 AM

Data Breach Statistic for 20152015 was a year of large and sometimes very controversial data breaches across a broad industry spectrum.  The Identity Theft Resource Center 2015 Breach List contains 780 breaches and 177,866,236 exposed records. Here are just a few that everyone should be aware of:

HEALTHCARE

Anthem

    • 78.8 million highly sensitive patient records
    • 8.8 to 18.8 million non-patient records
    • Names, birth dates, Social Security numbers, addresses, employment information, and income data

Premera

    • Over 11 million subscribers
    • Names, birth dates, Social Security numbers, member identification numbers, and bank account information.

Excellus

    • 10 million members
    • Names, birth dates, Social Security numbers, member identification numbers, financial account information, and claims information

ENTERTAINMENT

Avid Life Media (ALM), the parent company of Ashley Madison

    • 37 million user accounts
    • Email addresses, first and last names, and phone numbers.

VTech

    • 6.4 million children accounts
    • 4.9 million customer (parent) accounts
    • Photos, names, passwords, IP addresses, download history, and children’s gender and birth dates.

Hello Kitty (SanrioTown)

    • 3.3 million customers, including children
    • Full names, encoded by decipherable birth dates, email addresses, and encrypted passwords, along with password reset questions and answers.

TECHNOLOGY

T-Mobile via Experian

    • 15 million records
    • Names, birth dates, addresses and social security numbers and/or an alternative form of ID, such as drivers’ license numbers. (This was an unusual hack because the company itself (in this case T-mobile) didn’t have a data breach rather Experian (a credit reporting company) had a data breach which leaked T-mobile’s consumers’ data)

TalkTalk

    • 3 breaches affecting up to 4 million user records
    • Names, addresses, dates of birth, phone numbers, email addresses, TalkTalk account details and payment card information

Comcast

    • Over 200,000 users
    • Login credentials were sold on the dark web

GOVERNMENT

Office of Personnel Management (OPM)

    • Over 4 million personnel files
    • Over 21 million federal employees and contractors
    • Social Security numbers, security clearance information, fingerprints, and personal details that could leave federal personnel vulnerable to blackmail.

Internal Revenue Service (IRS)

    • Over 100,000 taxpayers
    • Online transcripts and significant personal information was accessed as a result of access to previously stolen identity information.

Wrapping up the year; on December 20th, 191 million registered U.S. voter records were exposed online. The database that was discovered contained more than the voter’s name, date of birth, gender, and address; which on their own is a good amount of personally identifiable information (PII). It also include the voter’s ethnicity, party affiliation, e-mail address, phone number, state voter ID, and whether he/she is on the “Do Not Call” list.

As we head into 2016, we will be focused on prevention and how we can best provide information and solutions to protect your sensitive & valuable data.

Let us know how we can help you!

The Encryption Guide eBook

Topics: Data Security, Encryption, eBook, Encryption Key Management, Data Breach

Anthem Data Breach - We Are Taking the Wrong Lesson About Encryption

Posted by Patrick Townsend on Feb 16, 2015 4:02:00 PM

We are taking the wrong lesson about encryption from the Anthem data breach. Several “experts” are weighing in with the opinion that encryption would not have prevented the breach, and even that Anthem should not bother implementing encryption to protect patient information! We don’t have a lot of information about the breach, but apparently the credentials of one or more system administrators were acquired by the attackers and used to access servers with sensitive patient data. So, if the attackers have the credentials of privileged users, it’s game over, right?

eBook The Encryption Guide Well, hold on Cowboy, you are taking the wrong lesson from this data breach!

Let’s start from the top. We have to use ALL of the tools at hand to deploy a defense in depth approach to protect our data. This means we need firewalls, intrusion detection, active monitoring, data leak prevention, anti-virus, two factor authentication, and everything else available to our security team to protect that information.  Further, it would be irresponsible to not consider encryption as an essential component as part of a defense in depth strategy. 

I am sure that Anthem already has a large number of these tools and defenses deployed in their environment. Should they just unplug them all and throw up their hands? Is surrender the best approach given the intelligence and persistence of dedicated attackers? 

Of course not, surrender should not even be in our vocabulary!

Encryption and related encryption key management tools are critical for any company that wants to protect the sensitive information of their customers (or patients, in the case of Anthem), employees, and business partners. It’s mandated by many compliance regulations such as PCI DSS which requires merchants and payment processors to encrypt credit card account numbers. It’s highly recommended to protect patient information by anyone like Anthem who is a Covered Entity under HIPAA regulations (any bets on how soon that will move from “recommended” to “required” status?). All serious security professionals know that encryption is a critical security component and recommend it is a part of an organization’s security strategy.

Does this mean encryption is the perfect defense? Of course not. Given enough authorization to sensitive data even encryption may not be able to prevent a breach.

Encryption raises the bar for the attacker. It narrows the attack surface and makes it more difficult. Unlike the situation at Anthem, in many cases an attacker compromises a non-privileged account and steals the database full of sensitive information. If the sensitive data is not encrypted, the data is lost. If the data is encrypted and you've protected the encryption key, the data is safe. Effective defenses involve a layered approach and constant vigilance.  If we use all of our tools effectively, including encryption, we have a very good chance of detecting an attack early and thwarting it.

A few months ago Adobe suffered a breach and lost millions of records. But the most sensitive data was encrypted. That story basically went away in a couple of days. Target and Sony also suffered large data breaches – do you think they wish they had been encrypting their data? You bet they do! Their stories never seem to go away.

Delay, hopelessness, and surrender are not going to help and are not justified.

This is the lesson we need to learn about encryption.

Patrick

The Encryption Guide eBook

Topics: Encryption, Data Breach

Notable Data Security Breaches of 2014

Posted by Michelle Larson on Jan 8, 2015 10:40:00 AM

Make 2015 your year for increased data security with Encryption & Key Management

During the 2014 holiday season, the Sony data breach made the headlines even though the numbers affected weren’t in the millions like their 102 million PlayStation Network records that were breached back in 2011. This time, beyond all the damage done to their systems, Sony Pictures Entertainment became one of the most publicly blackmailed corporate breaches to date. The group that took over their company network had a list of demands that went along with the financial data and legal information being leaked on to file-sharing sites and sent directly to rival Hollywood studios.   

While the end results of the Sony breach may take time to be fully realized, there were a number of other large scale data breaches this year. Some of these you may be familiar with, more may yet be reported, and others might surprise you: 


  • eBay - online retailer
    The breach is thought to have affected the majority of the 145 million global members when a database containing customer names, encrypted passwords, email addresses, physical address, phone numbers, and dates of birth was compromised.
  • JPMorgan Chase
    76 million people were affected by the loss of PII including names, addresses, phone numbers, and email addresses.
  • Google
    5 million people had their account information compromised with the theft of usernames and passwords.
  • Home Depot
    In a large nationwide malware attack, 56 million card records were stolen through point-of-sale systems. In a second attack in Atlanta, 20,000 employees personal information was stolen and used to open fraudulent credit cards by 3 human resource employees.

Those are some pretty significant numbers, and most likely everyone that reads this blog has been affected in some way by at least one of these events, or by one of the 600+ breaches reported so far this year. What we all need to remember is that cyber crime isn’t limited to “Black Hat” hackers that only go after the big piles of data. Sometimes it is a disgruntled employee that destroys or releases sensitive data. Sometimes it is an unintentional employee error, or loss of an employee’s laptop/thumbdrive that thieves go after. Often it is the smaller company or mid-sized Enterprise that hasn’t yet implemented security steps, like encryption and authentication, to protect their sensitive information. For example, the unintentional loss of data on unencrypted backup tapes would be considered a reportable data breach event.

A new study from researchers at Gartner indicates that it is markedly less expensive for companies to invest in new security and encryption technologies than it is for them to respond to a data breach. According to the analyst firm, businesses pay roughly $6 per year per user for encryption tools, or $16 per user per year for intrusion prevention software licenses, versus paying out an average of $90 per user to address problems after a breach has occurred.

Five steps you can take to make sure this doesn’t happen to you:

  1. Have a defense-in-depth strategy that meets your level of risk tolerance.

  2. Make sure you know where all of your sensitive data is stored, and who has access to it.

  3. Use standardized encryption algorithms to make that data unreadable.

  4. Use an encryption key management solution to protect keys away from the data.

  5. Use two-factor authentication whenever possible, because passwords are no longer enough.

To help open up the conversation around your conference table, download this eBook on “Turning a Blind Eye to Data Security” and find out more about the tools & resources to begin discussions about data security in your company!

Turning a Blind Eye to Data Security eBook

Topics: Data Security, Encryption, Encryption Key Management, Data Breach, Video

The Most Frightening Data Breaches of 2014… So Far!

Posted by Michelle Larson on Oct 31, 2014 5:11:00 AM

It’s not just “Target”… everyone has a bullseye painted on their information!

Unprotected Data is Way Scarier than this guy! Forget about vampires, werewolves, and other things that go bump in the night.  If you want to be truly frightened this Halloween, just take a look at some of the 395 data breaches reported in the first half of 2014 alone.

According to the Identity Theft Resource Center there has been a 21% increase in breaches (and that is just the ones that have already been reported to regulators) in the same period as last year.  Some of these you may be familiar with, others might surprise you:

  • eBay - online retailer
    The breach is thought to have affected the majority of the 145 million members when a database containing customer names, encrypted passwords, email addresses, physical address, phone numbers, and dates of birth was compromised.
  • Home Depot
    In a large nationwide malware attack, 56 million card records were stolen through point-of-sale systems. In a second attack in Atlanta, 20,000 employees personal information was stolen and used to open fraudulent credit cards by 3 human resource employees.
  • Michaels Stores - craft stores nationwide
    The point-of-sale (POS) systems at 54 stores were attacked using malware and up to 3 million payment card numbers and expiration dates were obtained.
  • Snapchat (online photo app and delivery service)
    4.6 million accounts were hacked and millions of images stolen. The information (phone numbers and user names) database posted online at Reddit and another site that has now been taken down.
  • Neiman Marcus (retailer)
    1.1 million payment cards were compromised over a period of 8 months as hackers repeatedly breached the point-of-sale systems through a central processing server.
  • AIG (American International Group)
    774,723 customers - The insurance provider confirmed the theft of a file server and two laptops that held personal information was by a former financial adviser.

Those are some pretty significant numbers, and most likely everyone that reads this blog has been affected in some way by at least one of these events. What we all need to remember is that cyber crime isn’t limited to “Black Hat” hackers that only go after the big piles of data.  Sometimes it is a disgruntled employee that destroys or releases sensitive data. Sometimes it is an unintentional employee error, or loss of an employee’s laptop/thumbdrive that thieves go after.  Often it is the smaller company or mid-sized Enterprise that hasn’t yet implemented security steps, like encryption and authentication, to protect their sensitive information.  

If the first list didn’t give you a fright, here is another that might make you tremble with fear. However, we would prefer if it resulted in the topic of data security brought up at your next security and risk management meeting!

Data Breaches are even more terrifying than this

University of Maryland
307,079 individuals - personal records
*Hackers broke in twice and stole data

North Dakota University
291,465 student and staff records

Sutherland Healthcare Solutions
168,000 patients
*Stolen computer equipment containing personal health & billing information

Sally Beauty Holdings (retailer)
25,000 customers lost credit card data to a hacker

Catholic Church - Archdiocese of Seattle
90,000 employees and volunteers - database records

Goodwill Industries (charitable resale)
868,000 customers from approximately 330 stores

Jimmy John’s (national sandwich shop)
*undisclosed number of customers from 216 corporate and franchised locations

Internal Revenue Service (IRS)
20,000 individuals affected
*Employee incident - loaded an unsecure drive into insecure home network

Assisted Living Concepts
43,600 current and former employees in 20 states, had their payroll files breached when the vendor’s system was hacked.

Coco-Cola
74,000 people lost unencrypted personal information to a former employee from Atlanta who stole 55 laptops. Company policy requires laptops to be encrypted, but they weren’t.

The Montana Department of Public Health and Human Services
A server holding names, addresses, dates of birth, and Social Security numbers of approximately 1.3 million people was hacked.

Spec’s - wine retailer in Texas
Affecting as many as 550,000 customers across 34 stores, hackers got away with customer names, debit/credit card details (including expiration dates and security codes), account information from paper checks, and even driver’s license numbers.

St. Joseph Health System
Also in Texas, a server was attacked that held approximately 405,000 former and current patients, employees, and beneficiaries information.  This data included names, Social Security numbers, dates of birth, medical information, addresses, and some bank account information.

The US Department of Health and Human Services has a breach database of incidents related to exposure of personal health information.  Due to late entries, dates weren’t listed, but the following were reported:

  • 25,513 records at Dept. of Medical Assistance Services in Virginia
  • 22,511 records at Cook County Health & Hospital System
  • 18,000 records at Terrell County Health Dept. in Georgia
  • 10,000 records at Health Advantage in Arkansas
  • 84,000 records at St. Francis Patient Care Services in Tulsa, OK
  • 10,024 records at Missouri Consolidated Health care

A new study from researchers at Gartner indicates that it is markedly less expensive for companies to invest in new security and encryption technologies than it is for them to respond to a data breach. According to the analyst firm, businesses pay roughly $6 per year per user for encryption tools, or $16 per user per year for intrusion prevention software licenses, versus paying out an average of $90 per user to address problems after a breach has occurred.

Five steps you can take to make sure this doesn’t happen to you:

  1. Have a defense-in-depth strategy that meets your level of risk tolerance
  2. Make sure you know where all of your sensitive data is stored, and who has access to it
  3. Use standardized encryption algorithms to make that data unreadable
  4. Use an encryption key management solution to protect keys away from the data
  5. Use two-factor authentication whenever possible, because passwords are no longer enough

To help open up the conversation around your conference table, download this eBook “Turning a Blind Eye to Data Security” and find out more about the tools & resources to begin discussions about data security in your company!

Turning a Blind Eye to Data Security eBook

Topics: Alliance Key Manager, Data Security, Encryption, eBook, Encryption Key Management, Defense-in-Depth, Data Breach, Security News

Want to Get Bigger Clients? Give Them Encryption & They Will Come

Posted by Liz Townsend on Sep 26, 2014 8:55:00 AM

Businesses leaders are becoming more and more scared of an impending data breach. Most IT security professionals agree that a data breach is no longer a matter of “if” but “when”. While major enterprises are now scrambling to implement strong encryption and encryption key management to protect customer data, for many companies, like Target and Home Depot, these efforts are too little too late.

Drupal Developer Program These medium to large enterprise-sized businesses are now holding their vendors and partners to a higher security standard. As a B2B organization that would like to onboard these larger clients, you should consider learning how to implement strong data security into your hardware, software, and cloud applications.

Encryption is one of the best-kept secrets of companies that have prevented or mitigated the consequences of a data breach. Because encryption renders data unreadable, any unauthorized access to that data is useless to the person who sees it. If the encryption key is adequately protected and not discovered by the intruder, then there is no way to decrypt the data and the breach has been secured. Encryption and encryption key management are the most defensible technologies for data breach protection.

Today encryption and encryption key management is as easy as launching an AMI in Amazon Web Services (AWS) in just a few minutes. Developers can now launch Townsend Security’s key manager, Alliance Key Manager (AKM), in AWS, Microsoft Azure, or VMware and receive up to two free licenses to develop and test encryption and key management in their applications. Alliance Key Manager is FIPS 140-2 compliant and provides NIST compliant AES encryption services so that encryption keys never leave the key server.

Businesses are not only concerned with risk management. Meeting compliance using standards-based solutions is also a critical piece to building defensible data security. Especially for government organizations that must comply with FISMA, many CIOs and CTOs won’t even consider an encryption or key management solution that hasn’t undergone NIST certification.

The importance of NIST compliance is far-reaching. Implementing a solution that meets an industry standard means that your solution will stand up to scrutiny in the event of a breach. NIST compliant encryption and key management have been tested against accepted standards for cryptographic modules and are routinely tested for weaknesses. Can meeting compliance regulations still be a low bar? Of course, but following standards and then implementing accepted best practices is the only way to meet compliance and achieve the highest levels of security.

With the Townsend Security Developer Program, you can develop applications that not only meet compliance but exceed them to give your clients the highest levels of security, you can win enterprise clients that you haven’t been able to work with before, and gain access to a host of Townsend Security APIs that have been designed for easy integration into new development projects.

Language libraries we provide for Alliance Key Manager include: Java, C/C++, Windows .NET application source code, Perl, and Python. Also available are client side applications for SQL Server and Drupal CMS.

To learn more and to join our Developer Program, click here.

Developer Program Encryption

Topics: Developer Program, Data Breach, Business Risk, Executive Leadership

Your IBM i May Have a Heartbleed Issue After All

Posted by Patrick Townsend on Apr 22, 2014 2:45:00 PM

A few days ago I noted here that the IBM i (AS/400) did not have a Heartbleed vulnerability, and I shared a link to an IBM statement about this. It looks like IBM got a little ahead of themselves. You need to be aware of the new IBM Heartbleed security advisory for Power Systems.

Data-Privacy-Ebook The advisory only applies to selected IBM i platforms, so be sure to read the entire advisory to understand if you are affected.

This advisory includes the Hardware Management Console (HMC) which is widely used by IBM i customers with multiple logical partitions (LPARs). Even if you use the HMC to manage a single LPAR, you are probably affected by this advisory. Almost everyone enables HMC terminal access services in such a way that they would be exposed to the Heartbleed vulnerability.

If you do have a vulnerable IBM i system, you should follow IBM’s advice and force your IBM i users to change their passwords. If you’ve already done this before applying the recommended updates, you should do it again (after you put on your teflon suit, of course).

Don’t forget to ask your third party vendors about any Heartbleed vulnerabilities in their software.

Townsend Security does not use the affected version of OpenSSL for TLS session security in any of its products, and is not affected by the Heartbleed vulnerability.

Patrick

Turning a Blind Eye to Data Security eBook

Topics: Data Security, Data Privacy, IBM i, Data Breach

Heartbleed and the IBM i (AS/400)

Posted by Patrick Townsend on Apr 11, 2014 11:07:00 AM

The OpenSSL Heartbleed security vulnerability is arguably the biggest security exposure in the history of the Internet. While IBM i (AS/400, iSeries) customers may be somewhat isolated from the larger impacts of this vulnerability, there are good reasons not to take this event lightly.

Data-Privacy-Ebook First, a disclaimer: Only IBM can comment in a definitive way on any Heartbleed vulnerabilities in the IBM i. The following are my opinions based on several years of work on the platform.

[UPDATE: IBM has issued a Security Bulletin stating that the IBM i is not effected by CVE-2014-0160 (Heartbleed)]

The first important fact to know is that OpenSSL is not commonly used in traditional IBM i network applications. IBM has an SSL/TLS library named GSKit and a certificate management application named Digital Certificate Manager. The underlying secure TLS implementation is not based on OpenSSL for these IBM-supplied applications. They probably do not pose a security issue for IBM i customers.

IBM does use OpenSSL in some of their IBM i open source applications. For example, the SSH implementation on the IBM uses OpenSSL. On a V7R1 system I started an SSH session and looked at the output:

OpenSSH_4.7p1, OpenSSL 0.9.8m 25 Feb 2010OpenSSH_4.7p1, OpenSSL 0.9.8m 25 Feb 2010

As you can see in the first log message, OpenSSL version 0.9.8m is used in SSH. Fortunately this version of OpenSSL is not vulnerable to Heartbleed. You should check your implementations of SSH, Apache, Websphere, Perl, PHP, and other open source applications to verify that they do not use a version of OpenSSL with the Heartbleed vulnerability.

Most third party vendors use the IBM i SSL/TLS library for secure communications. These applications will not be vulnerable to this new Heartbleed issue. All of the Townsend Security applications are based on the IBM library and not on OpenSSL. However, there are third party IBM i applications that embed OpenSSL or which use the OpenSSL application in the PASE environment. You should immediately contact your application vendors to determine if there are any exposures in their applications.

It is important to understand that while the IBM i platform may not be directly vulnerable to the Heartbleed problem, you may have lost IBM i User IDs and passwords over VPN or other connections which are vulnerable. An exploit of Heartbleed can expose any information that you thought was being protected with session encryption.

Once you know that your IBM i and all of your network services are patched or are not vulnerable to Heartbleed, you should immediately force a password change for all of your users. Don’t take a chance on missing this vulnerability at some point in your network infrastructure and exposing your IBM i data to loss.

Patrick

Turning a Blind Eye to Data Security eBook

Topics: Data Security, Data Privacy, Data Breach

Heartbleed Vulnerability and Townsend Security Products

Posted by Patrick Townsend on Apr 10, 2014 10:59:00 AM

heartbleedSecurity researchers have discovered a vulnerability in certain versions of the very popular OpenSSL application that can lead to the loss of critical sensitive information. The vulnerability is called Heartbleed because if affects the TLS heartbeat function in secure, connections. Because OpenSSL is used by so many web applications, and because this vulnerability can be exploited, the severity is very high.

Townsend Security does not use the affected version of OpenSSL for TLS session security in any of its products, and is not affected by the Heartbleed vulnerability.

For more information about the Heartbleed security vulnerability and what you can do, please visit the following site:

http://heartbleed.com/

While Townsend Security applications are not subject to this vulnerability, it is very important that you address other applications that are vulnerable. The loss of sensitive information in one application can lead to the compromise of an otherwise unaffected application. For example, the loss of passwords in one application can lead to the compromise of another application if the same password is used. And personally identifiable information lost from one application can be used for fraudulent impersonation in another application or web service.

Patrick

Topics: Data Security, Data Privacy, Data Breach

The Target Data Breach: Could Two Factor Authentication Have Prevented It?

Posted by Patrick Townsend on Jan 30, 2014 2:09:00 PM

Today we learned that the Target data breach may have started when hackers used stolen vendor credentials to access a Target web site or application. The application and vendor is not known at this point, but there are some lessons we can learn from this breach:

Podcast - Two Factor Authentication on the IBM i You should be sure that your vendor applications do not have fixed administrative passwords or backdoor passwords. Talk to your vendors and get their responses in writing. Don’t deploy any vendor solution that has fixed passwords that can’t be changed.

You should change any default passwords on installation of vendor solutions.

  • Use strong passwords and regularly change them
  • Use Dual Control and Separation of Duties for any highly privileged users such as system and security administrators
  • Add additional security methods to protect against this type of attack (read on)

Is there anything we can do to mitigate this type of attack?

Yes, the use of Two Factor Authentication (sometimes called Multi Factor Authentication) authentication can go a long way towards preventing this type of attack. We know that passwords alone are a poor means of authenticating a user and providing protected access to applications. Passwords are easily guessed, are often very weak, and can be stolen from our systems or a from a third-party system. Two Factor Authentication (2FA) makes it difficult to use a stolen password to access a sensitive system.

How does Two Factor Authentication work?

Two Factor Authentication adds something new to your authentication process. In addition to providing a password (something you know) to access a system, you must also authenticate with something you have (such as a mobile phone or hardware token) or something you are (fingerprint or iris scan). By adding an additional authentication method that is not readily accessible to a hacker, you get much more security.

Mobile phones are ubiquitous and have become a common way to implement 2FA. After providing a password to a web site or application, a PIN code is sent to your phone via an SMS text message or voice phone call. You have to provide the correct PIN code in order to continue. This is the method that Google and Yahoo offer, and is a common feature in on-line banking web sites. A hacker may steal password credentials, but it is much harder to take control of your phone.

In recognizing the need for better access security we recently released our new Alliance Two Factor Authentication solution for the IBM i platform. It is intended to mitigate exactly this type of attack using mobile-based 2FA.

Podcast - two factor authentication on the IBM i

Topics: 2FA, Data Breach, two factor authentication

Vimeo, Evernote Take Action after Adobe Data Breach

Posted by Liz Townsend on Dec 16, 2013 2:05:00 PM

But Are They Doing Enough?

Following the Adobe data breach that was reported in October of this year, other internet companies are still asking their users to reset their passwords. Facebook, Evernote, and now Vimeo are among companies who have alerted their users to the dangers of using identical passwords for multiple websites.
LinkedIn Data Breach
The Adobe breach of usernames and passwords is one of the largest in history, exposing upwards of 150 million usernames and passwords. Data breaches that expose this kind of login information are extremely problematic today since so many people use the same login information for many websites including banking and healthcare sites. Access to these sites could lead a hacker to uncovering information such as date-of-birth or even a social security number that could be used for identity theft or fraud. Unfortunately, the Adobe breach could lead to identity theft for millions.

No company wants to be considered the cause of identity theft, which is why these other businesses are taking action to reset user passwords. The big question that comes to my mind, however, is: Are they doing enough? When Adobe revealed the breach, it also brought to light the fact that they had not been using adequate security to protect their customers’ sensitive information. The beach occurred on a backup system where customer data was encrypted using DES encryption (a weak and outdated encryption standard that is no longer recommended for protecting sensitive data.) The Secure Hash Algorithm 2 (SHA-2) is the current standard (along with the use of salts to add an extra layer of security) for username and password protection. Using DES encryption goes against best practices when it comes to username and password security, and although Adobe was using SHA-2 to protect most of it’s users’ data, the backup systems were the ones that were hacked.

It’s difficult to speculate on any company’s security practices, but the precedent of poor security practices when it comes to securing usernames and passwords is widespread. In 2013, several major (and widely publicized) data breaches of user information were traced back to the use of weak and out-of-date hash algorithms. LinkedIn, eHarmony, and LivingSocial all experienced similar, major data breaches earlier this year. The Adobe breach signals that major e-commerce businesses may be ignoring the lesson their peers had to learn the hard way. As we’ve seen, willful ignorance is not a method of data protection.
Besides asking their users to change their passwords what could Adobe have done, and what can Vimeo, Facebook, and Evernote do now to protect sensitive user information?


  • Update hash algorithms as soon as possible where all sensitive data is stored. Do NOT use MD5 or SHA-1. These are known to be weak and you should just never use them. Use one of the SHA-2 family of hashes such as SHA-256 or SHA-512.
  • Always use a salt with your hashes. Also choose a strong salt value. We recommend adding a minimum of 128-bits of cryptographically strong Salt to the password you are hashing.
  • Protect your salt value using a hardware security module (HSM), such as an external key management server. Like encryption keys, the salt value should be protected away from the hashed and salted data.

To learn more about data breach prevention, download the podcast, “How LinkedIn Could have Avoided a Data Breach.”

Topics: Encryption Key Management, Data Breach, Hashing