Business Case Lax Security at LinkedIn Exposed
Case 5.2
On any social network, most users mistakenly believe that their privacy is only as good as the privacy of their most careless—or temporary friend. In fact, weak passwords and hackers can deprive users of all privacy.When the business social networking site LinkedIn was hacked, hackers stole 6.5 million passwords and e-mail addresses. This data breach was discovered by IT security experts when they found millions of LinkedIn passwords posted on a Russian underground website. Experts also determined that a hacker named Dwdm was asking underground members for help in cracking the stolen passwords. Within only 2 days, most passwords were cracked.Why were LinkedIn’s passwords cracked so quickly? The simple answer is that LinkedIn was using an outdated encryption method instead of up-to-date industry-standard encryption. As a result, members passwords were really only camouflaged and crackable.
LinkedIn Criticized for Bad Data Security
What could hackers do to your online accounts if they had your passwords for 48 hours and you did not know? That is what LinkedIn allowed to happen by waiting 2 days before notifying members that their passwords had been stolen. The company took a lot of criticism for not notifying members via Twitter or Facebook immediately. According to the chief executive of the Public Relations Consultants Association, Francis Ingham, LinkedIn ignored the first rule of crisis management, which is to be first to tell your customers.
What surprised customers and IT security experts was that a company that collects and profits from vast amounts of data had taken a negligent approach to protecting it.
E-mail Addresses are Universal Usernames
At most e-commerce and social sites, usernames are e-mail addresses making them our universal username for online accounts. If the e-mail is a work account, then everyone also knows where we work and our login name. Therefore, knowing users usernames and passwords provides authorized access to corporate accounts with almost no risk of being detected. Hackers attacked LinkedIn to gain access to over 161 million members’ credentials as a means to gain access to much more valuable business networks and databases.
Business Risks and Collateral Damage
The hack caused the following business risks and collateral damage. Takeover of members other accounts by hackers, fraudsters, and other criminals.Hackers know that people reuse passwords; once their LinkedIn accounts are linked to Facebook and Twitter, far too much information may be revealed. Knowing where people worked and their e-mail accounts allowed hackers to quickly use the stolen LinkedIn passwords to log in to corporate accounts, online bank accounts, and so on to steal more data or transfer funds.
Damage to LinkedIn s biggest revenue source its advertising business. LinkedIn s financial success is tied to its advertising revenues, which in turn are based on the number of active members and membership growth.
Fines for violating privacy laws and regulations. Any company exposing the confidential data of customers or employees faces steep fines. Regulators impose harsh penalties for breaking privacy laws and not taking reasonable care to defend against data breaches. Strict data privacy laws in states such as Massachusetts and California could keep LinkedIn fighting legal battles for years.
Cleanup costs. The cleanup cost LinkedIn nearly $1 million and another $2 $3 million in upgrades. Forensic work on the password theft cost another $500,000 to $1 million
Data Security: A Top Management Concern
Data security is a senior management concern and responsibility. It affects a company s operations, reputation, and customer trust, which ultimately impact revenue, profits, and competitive edge. Yet, defenses that could help to prevent breaches are not always implemented. Some experts argue that senior management continues to skimp on basic protections because computer security is not regulated that is, until a business suffers a major crisis. After the data breach, LinkedIn implemented improved password storage encryption, hired private security and forensics experts, and called in the FBI to help investigate the security breach.
Comparison with Other Cyber attacks
While 6.5 million leaked passwords represent a serious breach, it affected a relatively small percent of the more than 175 million members LinkedIn had at that time. Overall, the LinkedIn breach, while somewhat costly, did not do as much harm as those experienced by other hacked companies such as Global Payments, Sony, and Certificate Authority DigiNotar, which were literally hacked out of business.
Just the Beginning
Four years after the data breach, the number of released account details was found to be 117 million rather than 6.5 million. In May, 2016, Russian hacker Peace, who sold the Yahoo data breach information in the Opening Case, made available for purchase LinkedIn account details on a marketplace in the Dark Web for $2,300. In response to the massive breach of additional accounts, LinkedIn required the affected account holders to change their passwords and urged all other users to change theirs as well. In addition, LinkedIn spent about $4 million repairing and upgrading their security infrastructure to combat future leaks (Hackett, 2016b).
Business Case Lax Security at LinkedIn Exposed
QUSETIONS:
Sources: Compiled from Franceschi-Bicchierai (2016), Hackett (2016b), and Ponemon Institute (2017).
Business Case Lax Security at LinkedIn Exposed