The Insecurity Olympics: How 3 Companies Dropped the Baton
CREDIT: William Perugini/Shutterstock.com
In the spirit of the recent 2012 Summer Olympic Games in London, one provider of identity theft protection has decided to award gold, silver and bronze medals to companies and government institutions for their poor performances for protecting data in the 2012 (In)Security Games.
"Although the medal winners stand out, they're not exceptional," said Eduard Goodman, chief privacy officer with data-security provider IDentity Theft 911 in Scottsdale, Ariz.
There were many strong contenders, said Brian McGinley, IDentity Theft 911's senior vice president of data risk management.
"Corporate America gave it a good effort, with a significant number of data breaches. Hackers and digital con men bent on stealing consumers' personal information seemed to make gains this year, too," McGinley said in a statement. "Nearly 400 breaches already have been reported this year, with about 19 million customer records affected, according to Privacy Rights Clearinghouse."
Gold: Global Payments
In the ever-popular Data Vulnerability event, the gold medal went to the Atlanta-based credit-card-transaction processor Global Payments Inc.
For at least two months earlier this year, and possibly for much longer, hackers had access to Global Payments' end-user and merchant databases. The company claims that 1.5 million accounts were exposed, but third-party estimates have reached 7 million.
Even worse was the company's handling of the matter. Global Payments admitted the breach only after independent security blogger Brian Krebs broke the news in late March.
The company then gave contradictory information about the breach to investors and media outlets, and failed to fully disclose exactly what had happened and who was at risk. The result was that revelations dribbled out for months, painting a more serious picture each time.
Visa and MasterCard quickly dropped Global Payments as an approved transaction processor, an accreditation which as of July 26 it was still trying to regain.
"This is another example of a payment-card processor [being]a weak link in the chain of the payment industry," Goodman said. "The system is only as strong as its weakest link.
"Part of the problem is that the card companies could also be doing a better job to ensure these payment-processing companies are doing what they need to do to secure that information —but the card companies can't be there all the time."
Goodman said the payment-processing companies know they have bulls-eyes on their backs, and it's really up to those companies to secure the data.
The silver medal goes to professional-networking website LinkedIn, from which 6.4 million user passwords were stolen in early June.
Every data breach is bad, but LinkedIn made it worse by using a weak, easily cracked password-encryption process, by not having a full-time security officer and by denying anything was wrong for nearly a full business day, even as report after report regarding the breach piled up online.
"The password dump, as it's called, was made freely available in an online hacker forum, and it took third-party security wonks to figure out it belonged to LinkedIn," McGinley said. "It's unclear how much damage this information will cause users.
"But the breach warrants a silver medal because prevention was so darn easy," McGinley added. "LinkedIn used a run-of-the-mill weak encryption process and should have known better."
Goodman also highlighted LinkedIn's casual attitude toward security, as well as the way in which the breach occurred.
"It's not uncommon for large companies that suffer breaches to not even really know that it's happened unless and until it's pointed out by a third party," Goodman said. "But it's rather embarrassing when that happens.
"When it's third-party security companies and white-hat hackers who have to point out to you that there's a data dump, it's shameful. It means that your security folks are asleep at the wheel."
At LinkedIn, security may have been downplayed because of the public nature of the company, Goodman said.
"Because it's about your public persona from a professional standpoint, there's no benefit in locking yourself down," Goodman said. "But that's part of the problem, because it's treated so nonchalantly."
The bronze medal for insecure data protection goes to online shoe retailer Zappos. Someone broke into the company's Web servers in January and made off with as many as 24 million customer records.
However, Zappos was prepared for such a possibility, and handled the incident properly.
"[The company's] reaction gained favorable coverage in the security press and probably mitigated some of the damage," McGinley said. "So what could have been a gold-medal performance took only the bronze."
Goodman agreed that Zappos had a fairly good response plan.
"If you look at the numbers, it was one of the largest exposures, but if you look at the way the company dealt with it, they were more open about it and they worked through the process. I think that kind of saved them," Goodman said.
"But the problem is that Zappos is aspiring to be another Amazon and that means they've got a lot of data and they have to recognize that," he added. "And that means there needs to be an investment into securing that data."
(Zappos is an independently operated subsidiary of Amazon.)
As McGinley pointed out, "Security isn't a path taken; it's a destination reached."
Many companies still have a ways to go.