Do consumer data breaches matter for the enterprise?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123460535/do-consumer-data-breaches-matter-enterprise

Recently, the world was shocked by the embarrassing details released after
the data breach at Ashley Madison. In addition to the site’s members being
embarrassed, hackers also exposed the personal data of millions of users.

This breach was ripe for the tabloids and became news for many water cooler
discussions. At the same time, it provided a real-time example of how
consumer breaches can and do impact corporate security and business
operations (beyond the embarrassment).

The first and most obvious lesson learned from this data breach is that if
you use a weak password on a consumer website, even if that site employs
good encryption technology (Ashley Madison used bcrypt to hash its users
passwords), those passwords can still be cracked and exposed.

In less than a week, more than 4,000 of the Ashley Madison passwords had
been cracked. Worse, 1,191 of those passwords turned out to be unique
values, and the hackers are likely working to identify additional user
accounts related to those email addresses.

So how does this apply to the enterprise? It illustrates that even a breach
unrelated to a company can expose details that put the company at risk.
Research shows that employees reuse passwords on both work and personal
apps, creating an easy way for hackers to gain access to corporate apps
when personal apps are breached.

After the Ashley Madison breach, SailPoint did its own research around the
exposed credentials, and realised that some of our customers had employee
emails published. This was particularly concerning if those employees used
the same password for work and personal apps, because then our customers’
systems could have been compromised by hackers. SailPoint was able to
notify those organisations, which in turn forced automated password resets
to be executed to mitigate their risk of exposure.

In order to ensure that consumer-facing breaches don’t have corporate
effects, it’s imperative to educate employees on the importance of not
reusing passwords across multiple apps. And IAM solution can provide
automated password reset capabilities and help to govern password usage as
part of a larger identity governance strategy.

The second lesson emphasises the importance of proper handling of
personally identifiable information (PII). In Ashley Madison’s case, no
information, apart from the password hashes, was encrypted. This resulted
in user addresses and credit card payment information being published.

Beyond the personal embarrassment, the company is now responsible for
exposing all of its members to identity theft, or worse. Unlike the Target
breach, in which the hackers stole the PII and did not publish it, the
hackers dumped all of the data onto several well-known hacker data sharing
sites. This opened the abuse vector to just about every script kiddie on
the internet, vastly increasing the potential of future exposure and impact.

The take away here for the enterprise is to always encrypt personal data.
Had Ashley Madison used encryption for all personal data, things may not
have turned out as badly as they have. Whether you’re storing social
security numbers, banking details or other sensitive customer information,
any PII should be encrypted.

A final lesson from this breach is that every organisation needs to
constantly evaluate their risk posture. Data breaches like Ashley Madison
serve as an important reminder to educate employees through security
awareness training and test internal response procedures in preparation for
a potential data breach.

Data breaches are here to stay, and enterprises must remain vigilant in how
they prepare and respond, as well as how they protect their employees,
data, infrastructure, and the data they manage on behalf of customers and
partners.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!