There will inevitably be sniggers as it has emerged that Adult Friend Finder (we won’t trouble you with the link) has sprung a security leak, exposing 412 million accounts to risk. Many of the reports coming in refer to it euphemistically as a “dating site”; this isn’t strictly correct. It advertises itself as a site for casual sex, simple as that.
Hence the self-righteous indignation and no small amount of sniggers. If someone puts their details on a site like that, the logic runs, they have only themselves to blame. Except…they’re not doing anything illegal. And some of them may have families who’d rather not have their finances and dignity jeopardised.
Security is not optional
The security industry has accordingly been quick to respond, particularly since this has happened before. “It’s clear that the organisation has failed to learn from its past mistakes and the result is 412 million victims that will be prime targets for blackmail, phishing attacks and other cyber fraud. All companies, especially those dealing with sensitive customer data – must balance their security resources against their risk tolerance, and look at threat intelligence solutions that provide them with the greatest scope of protection,” said David Kennerley, director of threat research at Webroot.
Peter Martin, MD at RelianceACSN and an IT cyber security management expert, added: “It doesn’t matter what industry you are in. Company directors and managers are legally accountable for people’s personal data. Businesses needs to professionalise their operations data security. To do this they’ll need trained experts and engineers, not well meaning but overworked internal staff doing their best.”
‘Our whole online world is predicated on the system of trust that is underpinned by digital certificates; organisations have an obligation to ensure that this is fixed,” added
Kevin Bocek, chief security strategist, Venafi. “Leaving SHA-1 certificates in place is a like putting up a welcome sign for hackers that says, ‘We don’t care about security of our applications, data, and customers’.”
Are people outsourcing their security?
All of which is fine and logical but it avoids the central question of who is responsible for someone’s security when they put their details online. Technically and contractually it may be Facebook, Amazon, Adult Friend Finder, Ashley Madison (the adultery site previously hit in a similar breach) or whoever holds the data in question. Logically there’s another answer.
Whoever uploads their data in the first place has to take some responsibility and to undertake some sort of diligence about where they are leaving their details. IT managers need to make their colleagues aware of this because if someone is looking for some sort of nefarious pleasure, there’s a chance they won’t want to use their home email address – so they may have submitted their work email in their details instead. One hopes not.
However, incidents like this illustrate that it has never been more urgent to impress upon colleagues that there are acceptable uses of the Internet and their email addresses at work, and consequences if they breach these. And if this sets them thinking about what they’re doing with their private details as well, so much the better.