From Sophos Naked Security "Hackers trot off with RacingPost.com customer records".
According to the companies LinkedIn page they have between 201-500 employees. Their LinkedIn profile goes on to state they receive "more than 1,000,000 unique visitors per month". While located in the UK they qualify as an SMB under the definition set by the US Small Business Administration.
As the article points out the site does not store credit/debit card info. That is good news for Racingpost.com and its customers. However, it does store other personally identifiable information (PII) such as; usernames, passwords, first & last names, customer addresses, email addresses and customer dates of birth. This is a treasure trove of information for identity thieves, hackers and phishers. At the very least these users can expect to see a substantial increase in the amount of spam they receive. In a worst case scenario identity theft is a very real possibility. Affected users may wish to employ a credit protection service to minimize the potential of this.
While the passwords were encrypted it is relatively easy for them to be cracked. To see how easy this is just Google "Rainbow Tables". More info on Rainbow Tables can be found here and here (the first two results returned by Google). Security best practices recommend stored passwords be hashed and "salted", however this was not the case. Encryption algorithms are reversible. Hash algorithms are "one way" and are not reversible. The practice of adding salt to the hashing algorithm makes it exponentially more difficult to crack. Had the passwords been hashed & salted a Rainbow Tables attack would be much less likely to reveal the passwords.
How many of these username and (potentially cracked) password combinations do you think have been used for other online accounts? As discussed in the article, password reuse is fairly common. All users affected should immediately change their passwords for any/all accounts they have. This is why users should be forced to change theirs on a regular basis. My recommendation is to follow cyber security best practices and force this change every 45-90 days.
Now for the good news. This is an excellent example of an SMB handling a crisis correctly. They detected the compromise in a relatively short period of time and called in cyber security experts immediately. They then took appropriate measures to control the damage and began the process of customer notification. It is obvious they had an incident response plan in place to address this type of event.
SMB's can use this as a learning experience. Speak with your IT staff and ask them about your organizations incident response plan. If they are able to explain the process then you're in a position to handle a potential crisis. It would also be a good idea to schedule some time with your staff to review the incident response plan. Update it and make any necessary adjustments during the review.
If all you get is blank stares and non-answers you're in trouble. Take the time to gather the appropriate stakeholders from all lines of business and create an incident response plan. Once completed, incorporate it into your cyber security policy immediately. Protect your organization by requiring all employees read the cyber security policy and sign a statement that they have and understand it.
I would also recommend conducting at least one table top exercise per year. This is an exercise where a data breach is simulated. It ensures that everyone in your organization knows what they are responsible for and the steps required to meet those obligations. Remember, getting ahead of the incident goes a long way in regards to damage control and restoring customer confidence.
In future posts I will help guide readers through the process of creating an effective cyber security policy. An incident response plan will be one of the topics that will be covered.
No comments:
Post a Comment