Our Blog

Another Data Breach, Another Learning Moment

added: 11.21.2013, by Mike Spinney

Information security super sleuth Brian Krebs broke another major data breach story on his Krebs on Security blog yesterday when wrote about a hack affecting 42 million past and present subscribers of the Australia-based online dating service Cupid Media.

Krebs, whose bread-and-butter is his extensive knowledge and adept navigation of the digital underworld, learned about the hack after finding Cupid Media subscriber information stored on a hacker server similar data from Adobe, PR Newswire, and the National White Collar Crime Center was amassed.

What made the Cupid Media hack stand out to me was not just the number of personal records involved (42 million is a lot, but unfortunately breaches of such magnitude aren’t all that rare anymore), but the circumstances surrounding the breach as exposed by Krebs. Reading Kreb’s account of his discovery and what he learned after contacting Cupid Media and some of the affected subscribers stands as a learning moment for both organizations that collect data as well as individuals who share their data with online services.

Let’s look at the service provider first:

The subscriber data that the hackers gained access to was apparently stored by Cupid Media in plain text. That included names, email addresses, dates of birth, and account passwords. Judging by the managing director’s response, that 42 million likely includes past and present subscribers. So not only was Cupid Media negligent in collecting and storing unprotected personally identifiable information (PII), it was keeping the data long after its users had decided to move on. Rookie mistake.

If you are an organization that collects PII, you should know that every addition to your database is an addition to your liability. Not encrypting that information not only means you run the risk of having Brian Krebs calling your office looking for answers, it increases the chances of that information being exposed accidentally, accessed by negligent or malicious insiders, or pilfered and traded by cybercriminals.

Compounding that risk factor is the fact that Cupid Media held on to millions of records long after it knew it’s subscribers had left. That’s an additional piling on of unnecessary risk.

Data is currency. Most businesses engage in some level of data collection (employees and/or customers), therefore it is incumbent upon all businesses to know what the rules are and to comply with those rules. That includes proper collection, management, security, and storage, as well as what to do after a breach has occurred. And remember – a breach will occur.

I won’t get into Cupid Media’s appalling response to the breach or to Krebs.

As for the subscribers:

One of Krebs’ findings was that – surprise! – there were a lot of unsophisticated passwords included in the Cupid Media treasure trove. Among the most popular:

Numeric
123456 (1.9M)
111111 (1.2M)
123456789 (574K)

Non-numeric
iloveyou (91K)
lovely (54K)
qwerty (40K)

None of the ten most popular passwords, which comprised more than 10 percent of the total subscriber base, by the way, included an alpha-numeric combination. Not even something as simple as abc123.

As Krebs points out, it’s likely that many of Cupid Media’s 42 million subscribers used the same information to access other online accounts. That means that the Cupid Media hack not only put dating profiles in jeopardy, but potentially other accounts that used the same name/email/DoB/password combinations.

In this day and age, when so many services are available cheaply and conveniently online, it’s difficult to avoid some level of digital engagement. But why would you share personal details and data about yourself with an organization and not take steps that would make your identity somewhat safer?

Let’s all take a moment from this event to re-evaluate our personal privacy practices. Are we using sophisticated passwords that include an unintuitive combination of numbers, upper and lower case letters, and symbols? Are we over-sharing personal information online?

Experience is a harsh schoolmarm. Take a lesson from the mistakes of others before she raps you on the knuckles.