Hackers Diversify Targets for PII Thefts

We’ve grown accustomed to breaches hitting some of our favorite stores and 2014 had some of the biggest ones to date. As the danger of data breach blindness grows, we come to expect there is always some risk in financial transactions, whether it’s at the storefront or the virtual check out. But fraudsters don’t just focus on retailers. Here are two of the latest breaches, one for a sharing economy company that puts drivers in touch with people seeking rides and the other letting viewers find streams of their favorite video games, that once again demonstrate a marked difference on how data breaches get handled.

Not So Über

Late February, news broke that up to 50,000 current and former user accounts, specifically drivers, may have been breached. At the time of the announcement, Uber reported that they were not aware of any misuse of stolen information, which they said at the time included names and drivers licenses. Uber had filed a lawsuit against an unnamed individual who accessed the company files and have gone on to change database access protocols since. More worrisome is the latest news from The Guardian at the end of March that thousands of Uber login credentials with their associated data were up for sale in many private networks. The login credentials would allow buyers to log into the service, book rides, and fob payment off on the legitimate account owner. Uber has denied that the logins have come from their servers, suggesting the source are users re-using username and password combinations. While the breach Uber has acknowledged occurred in May of last year, it wasn’t discovered until September; it took the company another four months before they released the information to the public. Uber hasn’t had a great history with user data for passengers, either. Last year, Uber’s God Mode made headlines as it became known that Uber management had access to GPS information on users and of one executive that accessed the private files of a Buzzfeed reporter to demonstrate how much access they had.

Not So Twitchy

Compare that breach to the one announced by Twitch, a service that focuses on video game live streaming that that was acquired last year by Amazon. On March 24, Twitch announced that its user base had been compromised and they preemptively reset all passwords to all accounts and disconnected any associated accounts (like YouTube, Twitter or Facebook). The breach exposed usernames and encrypted passwords, last IP address they connected from, and anything that users had provided like first and last name, phone number, address and date of birth. Users were asked to log back in and reset their passwords and reauthorize any connected accounts. They also warned users that passwords, while encrypted on their site, may have been captured in clear text with malicious code if users logged into the site on March 3rd. While we don’t have numbers yet on how many users were affected, the user base for Twitch is large — it has 55 million registered accounts. It’s heartening, though, that not only were dramatic steps taken to protect users, the time it took from discovering the breach to public announcement was less than 30 days, timely notification that then translated into be able to be proactive about other website logins that may use the same data. That said, enough Twitch users complained about the complexity and length requirements that Twitch lowered the password character threshold to only eight characters, a huge step backwards in security for any system that still rely chiefly on passwords.

Standardizing Breach Notification

Because companies continue to be hesitant in revealing breach information, several states have created laws to compel good reporting standards. But not all States have done so, and what does exist is not consistent either. The US Federal government is moving forward on a National Breach Notification Bill that would require companies to advise customers of any breach within 30 days, and impose fines of $2.5 million for failing to do so. Surveys indicate that 43% of all American companies have been already affected by one kind of breach or another, a number that will grow so long as there continues to be a market for data containing usernames, passwords, credit cards and PII. Standardizing notification requirements is a short term measure that empowers individual account holders to be proactive about their own online security, but does nothing to protect against the use of that data against either the affect user or companies that suffered the breach or might find that stolen data used against them. The best strategy is to stop reacting to breaches with short term measures and instead act to make your system one that relies not on something that can shared, stolen or spoofed but on something unique to every user — behavioral biometrics.