What the Hack? Massive Breach Affects 2 Million Accounts
While numerous studies have shown people are concerned about online security, there is precious little evidence to suggest those concerns have substantially altered behavior while shopping or connecting with others via social media sites. Most people, as one security expert told RetailWire this summer, move around the internet blissfully unaware of the real dangers and act as if identity theft, for example, is something that just happens to other people.
Now comes another reminder of just how scary the internet can be. According to a blog for the cybersecurity firm Trustwave, nearly two million accounts around the globe have been hacked since the initial breach on Oct. 21. The breach happened as a result of the Pony Botnet Controller, which captures usernames and passwords as individuals log in to accounts. Passwords were hacked from Facebook (318,121), Yahoo (59,549), Google (54,437), Twitter (21,708) and LinkedIn (7,978).
The payroll service provider, ADP, was also among those compromised.
John Miller, a security research manager at Trustwave, told CNN that ADP was the most worrisome of the companies breached because hackers "might be able to cut checks, modify people’s payments."
ADP said that it had no evidence that any of its clients had been hurt as a result of the breach. The company, along with Facebook, LinkedIn and Twitter, has notified users to reset passwords of compromised accounts.
Discussion Questions
Do you see security concerns substantially altering the way companies or individuals go about their business online? What is your assessment of the state of online security at this point in time?
We’ve had this discussion umpteen times here in the past and my comments have been consistent.
In all reality, there is little (if any) incentive for most companies to truly be concerned about security breaches. There are no real penalties when it happens and after the lip service, the average person does nothing and does not change their behavior. For the few people that move on to other providers/merchants/services, the effect is insignificant.
At the risk of ruffling some feathers, to those that comment here about people being upset about these issues and NSA type privacy invasion issues: please show me where anything ever changes.
Faulty software and its attending cyber-crime is an annual $2.2 TRILLION problem in the US alone. Most focus is on “security” because we’ve been led to the erroneous mindset that constantly faulty software is a predestined, unavoidable and permanent reality. The focus should be on software performance which is generally pathetic. Even the security programs have faults providing entrance to the cyber criminal, so it’s like hiring a policeman to guard your store but he falls asleep.
40% of our IT expenditures go to “maintaining” software systems – in other words trying to keep it working. In government agencies a whopping 73% of IT spend goes to trying to get it to work – probably up substantially since healthcare.gov.
Fault-free software is not only possible, it is now a reality. The fact is the closer you get to fault-free software performance the closer you get to true security.
I agree with Ken. So far we have had a lot of lip service with no positive results, unless you are one of the bad guys. What I am getting from all this is the bad guys are smarter than the good guys. Sad, isn’t it?
The classic description of what is required to ensure identity is “Something the person owns, something they know, or something about them.” This usually translates into a plastic card, password, and biometrics (e.g. thumb print). Biometrics has been slow to evolve but is beginning to appear more often.
Everyone thinks of their social security number as their Achilles heel. When you really think about it, the one piece of information that everyone provides is their email address. Knowing my email address you can link just about every online presence I have created.
The saving grace in all this is the increase use of “big data.” Credit card companies have gotten very good at identifying stolen cards from the pattern of transactions they generate. Even if your identity is stolen, it is useless because security analysts will likely give you a call to confirm its use. Of course then the challenge becomes who will answer the phone.
Hacking is just one type of online security risk. Phishing as a form of social engineering is another. The bottom line here is that companies, individuals, parents with children online, need to follow a cyber security plan. It can be as simple as they like and at the minimum should include antivirus software, firewall protection, a secure WPA2 Wi-Fi network and 2 step verification if a credit card is linked to a social account.
When you are online the “stop, drop and roll” slogan for fire safety is a good one to follow. Stop if you get a suspicious email or request for confidential information; Drop any website or social site you feel is not safe; and Roll with the necessary software updates to keep all the sites you visit as secure as possible.
To help prevent being a victim of hacking, changing passwords on a regular basis, at least every six months, should be part of the plan, too.
Companies who have been involved in security breaches seem to go forward once the necessary repairs and advisories are in place. Individuals will change passwords and email addresses, and may become more aware of possible risks – ID theft protection, using an extra email address for social media, updating firewalls, etc. But it doesn’t seem to raise the alarm for many; its “just social media” – not that important compared to banking, medical and government information.
IMO, we are more vulnerable to online attacks than we want to know, and need to remain vigilant as we engage in online activity.
Online security is ever improving. Cyber-criminals are coming up with new ways to work around the latest security programs. Unfortunately, this is just another way to commit a crime. Before online retailing people still had their credit cards and identities stolen.
The consumer should look for assurances from the retailer that the information they share is secure. There are companies like AllClear ID that insure against identity theft. Online retailers are including this type of insurance for their customers.