Some months ago, I wrote about ineffective data security practices in my blog titled “How much do you really know about your internal computer security?”. In that blog post, I discussed how senior management in many large corporations are simply not aware of many of these weaknesses.
Even when management is made aware of severe security threats, there are no processes in place to expedite a thorough review of all security processes and put fixes in place. Most companies have separate project ‘queues’ in place to deal with compliance and regulatory updates, but not for security issues. Considering that a serious breach could result in massive loss of customer confidence, huge fines, loss in market value, this is a no-brainer.
Now back to LinkedIn. By all accounts, LinkedIn is storing passwords in encrypted format, unfortunately a big lesson learned is that just because you have some encryption, does not mean you are protected. Having ‘effective’ encryption, and overall security mindset is what helps. In the case of LinkedIn, even though they used SHA-1 encryption, they neglected to use ‘Salting’. ‘Salting’ is when random bits are added to the password hash, so that the resulting output is unpredictable. PC World has some more details on this.
The bigger issue for LinkedIn and other breaches like this is that since people tend to use the same password of multiple websites, same users’ data is vulnerable on many other websites as well.
The lesson learned is that security issues have to be taken seriously and existing issues cannot be fixed using simple band-aids. More often than not, applying band-aids can cover up more serious underlying issues – issues that may never be discovered till personal user data starts showing up on sites like Pastebin. It is unbelievable that some companies still think hiding columns of unsecured data form website interfaces solves the problem. Unfortunately some companies learn the hard way, after they are faced with massive regulatory fines, loss of customer confidence and plunging market value after a major leak. Don’t let your company be one of them.