Recent Developments in Data Security: Password Reuse to Post-Breach Damage Control
Over half of the data breaches in 2015 were carried out using legitimate credentials. According to the 2016 Verizon Data Breach Investigations Report, there were 1,429 incidents of credential theft last year, and 63% of confirmed data breaches exploited stolen, weak, or default passwords.
Data security experts call this a “password reuse crisis” and “low-hanging fruit for hackers.” One study found 60 percent of internet users are guilty of password reuse. And Experian reported that 25-34-year-olds average more than 40 accounts registered to one email account, using only five different passwords. Even Mark Zuckerberg had his Twitter and Pinterest accounts hacked using his “dadada” password found in the LinkedIn data breach.
Combined breaches reported by LinkedIn, Tumblr, VK.com, Fling, and MySpace total more than 642 million compromised accounts, which become a “virtual crime wave” as hackers unlock other accounts using these stolen credentials. Troy Hunt, who created the cyber-breach service Have I Been Pwned?, estimates “just the LinkedIn breach of 117 million accounts will unleash a password reuse tsunami of ‘tens of millions’ of stolen passwords that can unlock accounts elsewhere on the web.”
It’s easy to see how one password exposed through one breach potentially opens dozens of accounts that use the same password. However, regularly creating unique passwords for each of your online accounts is tedious at best, which makes password apathy understandable. And, while password managers offer a solution, their networks are not immune to hackers.
The magnitude of this problem is staggering. Hold Security researchers found a young Russian hacker bragging in an online forum that he was ready to give away millions of stolen user names and passwords for Gmail, Microsoft, Yahoo, and Mail.ru email accounts. Another hacker is offering to sell 9.3 million patient records stolen from health insurance organizations’ databases.
One security expert warns password reusers to “get ready to get busy” resetting passwords, and not just for accounts with companies that have experienced a breach. Facebook and Netflix are among companies that didn’t experience a breach but search data leak troves for matches with their customers’ credentials and force them to reset their passwords. Some data breaches occurred years ago and are just now triggering requests to set a new password. If passwords are still valid they still have value to hackers.
For example, after Yahoo acquired Tumblr it sent out notices that someone had accessed Tumblr email addresses and passwords from 2013 so as a “precaution” Tumblr accounts must reset passwords. And this recent headline reports problems related to information stolen in 2012: LinkedIn Data Breach Causes Problems Years Later.
Lessons for End-Users
The lessons learned from bad password habits are:
* Don’t reuse passwords
* Change passwords frequently
* Create strong passwords
* Use two-factor authentication
End users should follow these recommendations, but security is a shared responsibility and organizations also need to do their part. Michael Sentonas, vice president of technology strategy at CrowdStrike, says the problem of password reuse is common and, once hackers log in, the potential to access administrative credentials on a company’s network is “a serious issue.” (Crowdstrike was the cybersecurity firm called in to help with the Democratic National Committee’s data security breach.)
In addition to internal breaches and “spearphishing” emails, the list of data security issues to address with employees needs to include passwords which have been called “the weakest link in even the most secure system.” Traditional security defenses aren’t designed to sound alerts when a hacker logs into a system with stolen credentials since logging into the system is a legitimate action.
Therefore, in addition to implementing robust security measures to access sensitive information, organizations should train employees on how to create strong passwords, require password resets at regular intervals, and prohibit password reuse to access company networks.
Lessons for Responding to Breaches
There is no security system that is 100 percent foolproof, given the elements of password reuse, human error, and hackers’ persistence. Two recent cases decided by the federal 7th Circuit Court of Appeals provide cautionary lessons on how an organization should respond to a data breach.
In June 2014, P.F. Chang’s restaurant customers received notice that the restaurant chain’s computer system had been hacked and debit- and credit-card information had been stolen. Before conducting an internal forensic investigation, P.F. Chang’s issued a press release regarding its security breach, encouraging its customers to monitor their credit reports and statements for affected cards.
A class action lawsuit was filed against P.F. Chang’s. One of the representative customers had fraudulent charges on his card (but the bank stopped them before they went through) and he bought a credit monitoring service for $106.98. Another customer said he spent time and effort monitoring both his card statements and other financial information for potential fraudulent charges and identity theft.
The court rejected P.F. Chang’s argument that these were mere possibilities of future harm, and found that “the increased risk of fraudulent charges and identity theft they face because their data has already been stolen . . . are concrete enough to support a lawsuit.” [Lewert v. P.F. Chang’s China Bistro, Inc. (7th Cir. 2016) nos. 14 C 4787, 14 4923]
A previous case decided by the 7th Circuit involved a security breach of Neiman Marcus’s computer systems, exposing debit and credit card information for 350,000 customers. Neiman Marcus had admitted that it suffered a data breach, offered affected customers one year of free credit monitoring and identity theft protection, and 9,200 of those cards had already been used to make fraudulent charges.
Based on this evidence, the court found that the customers “have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” [Remijas v. Neiman Marcus Group, LLC (7th Cir. 2015) no. 14 C 3122]
These cases highlight the difficult communication decisions that are made, sometimes with limited information, in the aftermath of a data breach. Companies must comply with state notification laws, and weigh reputational considerations against the risks involved in making disclosures before a full investigation is completed.
Real cases of data security breaches can provide valuable lessons. Technological security measures cannot prevent all data theft, as employee errors account for most security breaches. The most important and effective step an organization can take to minimize the risk of a data security breach occurring in the first place is a successful training program.
Learn more about LawRoom’s Online Data Security training.
Or read our white paper on what makes an effective data security training.