BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

How Secure is Your Old and Inactive User Data?

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 14 Nov 2013 00:17:21 -0700
http://www.forbes.com/sites/oreillymedia/2013/11/09/how-secure-is-your-old-and-inactive-user-data/

A couple weeks ago Brian Krebs announced that Adobe had a serious breach,
of customer data as well as source code for a number of its software
products. Nicole Perlroth of The New York Times updated that to say that
the breach appears to be much bigger than thought and, indeed, Krebs
agrees. Adobe themselves announced it first, earlier than Krebs’s first
report in CSO Brad Arkin’s terse blog post, Illegal Access to Adobe Source
Code.

By now, breaches are hardly news at all. All of us pros flat out say that
it isn’t a matter of *if* you get hacked, but *when*. Adobe’s is of note
solely because of the way that the news has dribbled out. First, the
“illegal access” to source code, then the news of lost customer data to the
tune of 2.9 million, then upping that to 38 million, but really actually
(maybe?) 150 million. The larger number is expired accounts—or something.

Adobe spokesperson Heather Edell said that the 38 million accounts are
*active* accounts, and that weasel word seems to explain the rest. They
have reset the passwords of the inactive accounts, but personally I’d
prefer that they delete them. Adobe has had the usual response of buying
free credit monitoring for the hacked *active* accounts. I sympathize with
not getting credit reporting for the inactive accounts as these people
aren’t at present customers.

Nonetheless, this is one of the problems of Big Data. Disks are cheap and
getting cheaper, so people don’t delete. Privacy management often means
data minimization. If someone’s account goes inactive, eventually the
inactive account should be deleted. It’s a slight inconvenience to the
inactive customer should they become active, but there is risk to holding
inactive user data.

California’s breach disclosure law, SB 1386, doesn’t differentiate between
active and inactive customers. It says that if you hold someone else’s
personal data, then certain things need to happen in the event of a breach.
Strictly speaking if Adobe is doing some things for active users, it needs
to do them for inactive users, too. That doesn’t have to go as far as free
credit reporting, but it does include the legal mandate in SB 1386.

It ought to include deleting the inactive accounts. Despite the estranged
customer/supplier relationships, they lost the the personal data of 112
million people that they’re apparently not doing anything for, despite
their legal obligations. I don’t think it has to be overblown. A simple
email to the inactive accounts explaining that the breach happened and the
inactive account has been deleted would work.

Adobe is becoming a network-oriented software supplier. There are a lot of
good reasons for that, and this shift is pretty much what customers expect
these days. We don’t want software in boxes. They are expensive and we just
throw them away. Much better to get software from a download. It is good
for them and good for us customers. But they have to recognize the
liability, as well, and that is that when there’s a breach, they have to
treat all accounts the same.

Financially as well as for the good of privacy, old accounts need to be
timed out and deleted.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: