Current Events: Monster.com data breach
According to MSNBC (http://www.msnbc.msn.com/id/29017452/), Monster.com along with USAJobs.com (which monster’s parent company runs) was breached, resulting in the theft of user ID’s, passwords, email addresses, names and phone numbers. The number of records stolen was not disclosed, nor were any details concerning how the thief obtained access to their databases.
As to why this event arose, the large number of users of these sites makes them appealing targets to break into. Without any technical details concerning the attack, it is difficult to guess what security was in place (or what wasn’t) that permitted the breach to occur. It is also difficult to say what could have been done differently to prevent the attack. If this information was not encrypted, that is one thing that could have been in place, such that even gaining the encrypted files does not immediately grant the attacker access to the information.
The article mentions some interesting broader issues with this event. Namely, that security breaches are becoming so common that hearing of one is less and less likely to deter customers from using a particular service – it is “par for the course” as it were. It also mentions the mindset that “even if you switch services, the service you switch to is not guaranteed to be any safer from your current service.” These are interesting trends in the concept of data security. On one hand it could be a good thing if customers expected data breaches from certain services, such that they don’t put out any sensitive information that would be cause for alarm if stolen. On the other hand, many services require information to function that most would consider sensitive or personal, and as such removing the accountability for a data breach by citing the mindset that “you have to expect it will happen every so often” is counter productive.
Though it is true that perfect security is generally impossible, “best practices” should be in place, and companies should be held accountable for reaching those standards. If in the wake of a data breach it is determined that the company in question was following current and best practices in data security, then perhaps it is right to say “it just happens sometimes despite all you can do” and move on. If, on the other hand, it is determined that negligent practices were occurring, the public should be made aware of that and the company should be held accountable. Data breaches may be somewhat inevitable, but if I have to choose between two similar services, one which has had data breaches under negligent circumstances and one which has had data breaches but has shown that they are doing everything they should be, I’ll take the company that’s doing what they should be.
Comment by Brent Couvrette
February 13, 2009 @ 9:33 pm
It seems like all of these breaches should act as a wake up call to the industry. I will admit that preventing all attacks is an extremely difficult and often monetarily infeasible to do. However, I feel that the effects of some of these breaches could be greatly mitigated with sufficient defense in depth. For example, if you have a vulnerability that allows attackers to query your database, the usefulness of such queries could be limited by encrypting the data stored in the database.