< Back to listing

Posted 7 octobre 2015

Various security exploits have been reported by recent news:

– In governmental areas: the US Office of Personal Management revealed on July 2015 that 21.5 million American official’s accounts, both inside and outside the government, were hacked, leaking sensitive personal data including their social security numbers and the content of their security clearance request file (http://edition.cnn.com/2015/07/09/politics/office-of-personnel-management-data-breach-20-million )…

– In security-related companies: The Hacking Team, an Italian surveillance-software editor, had the unpleasant surprise to find part of their backed-up data scattered through the Cloud, enabling merely anyone to get confidential and classified information: its interception software’s source code, contracts, customer database, emails, support database, etc.! The hacker leaked 650 Go of data while staying stealthy, which is not completely trivial and we could guess that the company did not fully pay attention to its data. The consequences of such an attack for the company are: the lost of its intellectual property, its products will easily be detected by antiviruses thanks to the fact their source codes have been published. Additionally, documents revealing relationships between the company and rogue states might have serious legal consequences…(http://www.zdnet.fr/actualites/hacking-team-pirate-un-arriere-gout-de-finfisher-39822014.htm). This data leakage wouldn’t have been possible if data had been properly encrypted.

– In dating sites: On July 14th 2015, hackers have taken control over AshleyMadison* website and two of its subsidiaries specialized in extra marital dating, leaking personal data of 32 million users (names, addresses, bank accounts information, etc.) and email addresses of the website managers. The hackers have published on August the complete user database and unveiled that, most feminine users where in fact bots used to message masculine users!

What lessons should we learn from these examples?

First of all, companies are vulnerable as soon as their data are vulnerable.

Then, if their data are vulnerable, companies face various types of attacks that may drag along the following risks: company’s value loss, company’s contract loss, blackmail, company’s image decline, etc. that might lead the company to bankruptcy.

Finally, as companies are in danger, they should inevitably protect their data and streams. Wherever they are located (internally or in the Cloud), data should be encrypted because, as no system is ever flawless, the threat will somehow become a reality. Thus, by encrypting its data and keeping its encryption keys (instead of delegating the task to a Cloud manager), a company can build a shelter against a potential unauthorized broadcast of sensitive data.

*http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/