Hot on the heels of Heartbleed (albeit a different type of security issue), the eBay data breach has yet again rocked the security world - the personal details of 145 million or more active users are in the hands of hackers. This once again emphasises the uphill security challenge we are facing today; no organisation is secure and the larger organisations, despite their resources and financial muscle, are being successfully targeted.
While there has been vociferous recrimination on how the online auction giant has handled the breach, it is worth noting that: a) there are things eBay has been doing right, at least in principle, and b) all facets of security need to come together to curb security breaches.
The company had encrypted the passwords of its customers using a sophisticated, proprietary hashing and salting technology to protect the passwords. What we don’t know is how good the encryption algorithm was and whether the hackers were able to steal the encryption keys.
Encryption is only as good as the security of the keys. With the keys in the hands of hackers, encryption is rendered useless. Additionally, the use of encryption should be part of a comprehensive security deployment, not the only security control applied. The worry with the eBay incident is that duration between the breach occurring (nearly three months ago) and when it was detected (two weeks ago), may have given hackers enough time to extract the encryption keys.
The online market had rightly segregated the personal and financial data and applied encryption to the latter to safeguard it. However, they hadn’t encrypted the stored personal information of individuals, which is just as valuable to cyber criminals as financial information. Criminals have the wherewithall to match stolen credit card details with stolen identities to derive financial gain using criminal aggregation. While we can all change our passwords, we cannot change other details about ourselves such as name, address, birthdate and the like, which are also used by many organisations to verify the identity of users of their services.
As with most security incidences, the full impact of this breach will only be seen in the coming months. But once again this breach underscores the heightened need for all elements of security including people, processes and technology to come together to tackle the cyber security challenge. Also, there is no prescriptive way out of it. Breaches such as this highlight the need for everyone in an organisation to take security seriously, for organisations to share information on breaches, and for senior management to treat cyber as a key component of both the success and risk of running a business.
Adrian Davis, Managing Director for (ISC)2 EMEA