What can we learn from the data breaches at Dropbox and Yahoo?
Much has been written in the last few weeks about the huge data breaches at Dropbox and Yahoo, two of the higher profile stories amongst a string of tech companies that have seen approximately three billion customer credentials compromised in the last four years. So what do these catastrophic loses teach both consumers and organisations about the security of their data, and the potential consequences of a breach?
Don’t just assume your data is secure
When you start to consider the breach at Dropbox, what becomes apparent very quickly is the sheer ease with which the hacker could enter their corporate network. The original breach appears to have been the result of the reuse of a password that a Dropbox employee had previously used on LinkedIn.* From there, the hacker accessed Dropbox’s entire user database, which at the time of the breach (2012) was made up of approximately 100 million customers and their associated passwords. Following the attack, Dropbox reported a collection of users’ email address had been stolen but didn’t report that passwords had been taken as well!
Similarly, the Yahoo data breach that compromised at least 500 million user accounts occurred in 2014 but wasn’t announced to the public until 2016. What is not yet clear is when Yahoo learned of the breach, however one must question the effectiveness of their security procedures and monitoring if it took two years to fully understand the scale of the loss.
For consumers of these services and the many similar cloud-based email and collaborative platforms, there are obvious concerns about the security of their data. Does this mean users should turn their back on the cloud and revert to more traditional on-premise applications? The answer, as we’ve explained in previous articles is, no – the benefits of cloud-based services in today’s digitalised world far outweigh the risks.
Instead, these stories should be a reminder to all consumers that they need to take greater responsibility for their data; be that regularly changing passwords or researching more secure alternative services. For example, the question we are regularly asked is: ‘Is there a more secure alternative to Dropbox?’
Only now are we seeing the true consequences of data breaches
These breaches serve as a reminder that no-one is exempt from a potential data breach and that the consequences can go far beyond a simple monetary fine and negative headline in the press. Often, the full impact can take weeks, months or years to play out. Take the TalkTalk data breach in 2015, where hackers stole confidential data of 157,000 customers. 12 months on, the firm estimates the breach will cost over £60m to rectify, including lost customer revenue.
In similar fashion, a month on from the Yahoo breach, the organisation has been rocked by suggestions that Verizon may pull out of its $4.83bn acquisition as a direct result of the story and its ‘material impact’.
Thus, organisations both big and small are waking up to the fact that no-one should assume they are safe from a breach and that instead measures need to be taken to better protect consumer / sensitive data, and to prepare for the almost inevitable breach.
As we’ve touched on previously, the data breaches of the past must serve to help place greater importance on data security. If as a result, more resources, including financial, are made available for organisations to invest in leading-edge security solutions, then the long-term impact of these breaches may well benefit us all!
*In 2012 LinkedIn was the victim of a cyberattack that resulted in the publication of user accounts and passwords.