Two responses to recent high profile data breaches…

October 19, 2014 |

The Privacy Commissioner issued a statement last week titled Recent online security incidents with some advice on what can be done to improve security on line while Zdnet reports in Facebook explains how it protects user passwords in light of data breaches how it takes steps to protect passwords.  While both are good responses to a significant problem that needs addressing Facebook is going as far as it needs to on this front while the Privacy Commissioner is stopping well short of what needs to be done from a regulator’s perspective.

 The Privacy Commissioner’s statement provides:

In the last week, there have been reports of two high profile incidents involving people’s personal information becoming available online. Incidents of this nature highlight the importance of managing and protecting the security of personal information, particularly in the online environment.

There are a number of simple ways to protect yourself online:

  • Always use strong passwords
  • If you have concerns about the security of your password, you should change it immediately
  • Do not reuse passwords for different services
  • Beware of third party client apps
  • Always ask why information is being collected, and what it will be used for
  • Read privacy policies
  • Only give out as much personal information as you need to
  • When you do offer information online, choose reputable sites, apps and services you know and trust

Cryptic and good as far as it goes.

The Zdnet article provides:

Big box retailers are being struck by security breaches left and right, and increasingly high-profile tech brands like Adobe and Dropbox are finding themselves being targeted.

Facebook, with more than 1.32 billion users and counting, would easily make for a golden goose for hackers. Naturally, the world’s largest social network asserts that it is vigliant against these threats.

Much like the back-end infrastructure for the Open Graph to constructing data centers around the globe, Facebook’s preventative measures and protocols have made from scratch in-house.

Facebook security engineer Chris Long explained in a blog post on Friday as to how the Menlo Park, Calif-headquarted company protects people’s passwords — and by extension, all the account data locked away behind those passwords.

This process involves a heavy duty amount of monitoring, starting where many of us do (with reports of large-scale data breaches) to actively scanning public postings by attackers selling (or even just flaunting) stolen account information. From there, Facebook’s security team pools the posted stolen credentials and compares if the stolen email and password combinations match emails and passwords used on Facebook.

However, Long promised that being a “a completely automated process,” Facebook developers don’t actually uncover nor store actual Facebook passwords in “an unhashed form,” or plain text.

He continued:

To check for matches, we take the email address and password and run them through the same code that we use to check your password at login time. If we find a match, we’ll notify you the next time you log in and guide you through a process to change your password.

But there’s only so much Facebook itself can do. Long reminded that users can (and need to) take a number of precautions to protect themselves.

An increasingly popular option being implemented not only by Facebook but also the likes of Google, PayPal and Twitter, among others, is two-factor authentication.

The method adds an extra layer of security, requiring the entry of a security code (usually delivered via SMS) after entering one’s password when logging in from a new browser. Long also touted using Facebook Login, the social network’s version of a single sign-on solution for automatic entry across numerous sites online.

There are benefits and pitfalls to this route, depending on your views. On the one hand, it does grant Facebook with much more access to one’s data, with which not all users are comfortable.

But it does also reduce the number of usernames and passwords that one is required to remember, an increasingly frustrating and debated problem driving many to call for the “death of the password.” Facebook also asserts that with Facebook Login, even if the website you are logging into becomes compromised, the attacker won’t be able to obtain passwords.

Nevertheless, placing trust in Facebook Login also depends upon the strength and reliability of all of Facebook’s aforementioned security measures.

Facebook is informing its users of what it does to protect their data.  That is good business.  The reputational damage from a significant data breach is considerable.  And Facebook has already come under the gaze of the Federal Trade Commission on privacy related faux pas. The Privacy Commissioner’s response is reasonable as far as it goes. But a regulator should take more assertive action to ensure that the business culture is privacy conscious and there is an interest in being compliant.  Education only goes so far.  If that was the intent of the statement.  The Privacy Commissioner has now had his new enhanced powers for 6 months and there has not been much in the way of activity.  Given the number of privacy breaches which are reported on a fairly regular basis and the considerable anecdotal evidence of poor compliance.  There is no good public policy for the regulator not to use the enforcement powers in the Act.  Quite the contrary.

One Response to “Two responses to recent high profile data breaches…”

  1. Two responses to recent high profile data breaches… | Australian Law Blogs

    […] Two responses to recent high profile data breaches… […]

Leave a Reply