The month of May has seen high profile IT data security threats evolve and numerous large enterprise organisations report that they have been subject to a data breach.
Data security breaches hit online retailers
This week a news story has revealed a cyber-attack which led to the data breach of approximately 145 million eBay users’ personal information. The breach, said to have happened in February, is said to have led to personal (though non-financial) information being seized, including names, addresses and passwords of users.
The company however has come under heavy criticism for requesting only this month that users change their passwords, and for appearing to only have noticed the breach three months after it took place. According to Infosecurity:
“So far, there’s no evidence of the compromise resulting in unauthorized activity for eBay users, the company said, but researchers warned that because of the lack of immediate user notification, it may be too early to tell.”
In an open letter penned to eBay, Rik Ferguson of Trend Micro asks:
“If all this sensitive data was stored in one single database, why was it not encrypted, In fact why would it not be encrypted even across multiple databases? I note with chagrin that “all PayPal financial information is encrypted“, still running a two-tier system?”
The general guidance being offered to eBay users is to change their passwords and to not reuse passwords across different sites and accounts.
But eBay is not alone in experiencing a high profile hack this month.
News has surfaced today that customers of the high street shoe chain Office have been urged to change their passwords after its website became the latest victim of a data security breach. The company’s CEO Brian McCluskey said in a statement to Computing that “no credit card, debit card, PayPal or bank details were compromised in any way” – and that the matter had been reported to the relevant authorities. The information that may have been compromised includes name, address, email address, phone number and the password to the Office account.
The news has come off the back of the music streaming Spotify also being subject to a data security breach. The Swedish firm maintained that no financial data had been accessed but that a portion of its 40 million users will need to re-enter their log-in credentials. So far Spotify believes that only one user’s data had been accessed and did not include any password, financial or payment information. The news will have no doubt caused concern among millions of Spotify’s users whose risk awareness will have heightened as a consequence.
ICO publishes report about learning from the mistakes of others
Separately, the Information Commissioner’s Office has this month published a report titled “Protecting personal data in online services: learning from the mistakes of others”, with the intention of highlighting the most common IT data security vulnerabilities that have resulted in organisation’s failing to secure their data.
According to the ICO’s press release on the matter, “the top eight computer security vulnerabilities covered in the ICO’s report comprise:
- a failure to keep software security up to date;
- a lack of protection from SQL injection;
- the use of unnecessary services;
- poor decommissioning of old software and services;
- the insecure storage of passwords;
- failure to encrypt online communications;
- poorly designed networks processing data in inappropriate areas; and
- the continued use of default credentials including passwords.”
The report also highlighted that breaches totalling almost a million pounds could have been avoided if the standard industry practices highlighted in the report had been adopted and adhered to.
Join Whitehall Media for our 2nd Enterprise Security and Risk Management conference which will be held on 3 December 2014 at the Hotel Russell in central London. For details on how to register your place to attend, visit: www.whitehallmedia.co.uk/esrm