Internet users use a service
provided by the companies like social media, bank account, and have
to provide their personal details like bank balance, address, phone
number, browsing history, location details, details of any personal
document like passport, national identity card etc. Online hackers
breach the security of a company and this is a threat to the user
privacy. The companies promise to provide security to the users and
expend a percentage of their production cost for this purpose.
Unauthorized access to this data is violation and threat to
sensitive information. There are many examples of this data breach
throughout the history. Lets discuss an example.
* LinkedIn data
breach:
- LinkedIn is a socail media platform
for job portals , and users posting the CVs. LinkedIn has almost
700million registered customers. It shares accesss of user profiles
with recruiters and companies. The reason I chose LinkedIn example
because it's one of the most commonly used social media platform
and also it is being used by professionals and not like any common
person as on Facebook.
- In June 2012, 165 million users
were affected password information was stolen by hackers and sold
online. The main problem was the users passwords were weak and
ealiy hackable and also LinkedIn did not salt the passwords.
- Salting means Cryptoghraphy
technique. Salt is an addtional data being inlcuded with the
password while storing in the databse. Salt is stored so that
hackers don't get the direct password of the user.
- Later LinkedIn accepted and said
that 6.5 million passwords were stolen and published online.
- Later in 2016, 117 million
passwords were out for sale by hackers. This is more than that what
LinkedIn accepted.
*The reason for the
hack:
- Experts reveal that the main problem was LinkedIn did not use
salt while hashing the passwords. Therefore it was easy to hack the
passwords from the database using old table matching
technique.
- Also the users were not prompted to create a strong passwords
while creating the account.
* Ways to protect such data
breach :
- As discussed above LinkedIn should
have used a proper cryptoghraphic technique to store the passwords.
The encrption and description has to be tight and secure. Use of
random salt should be encouraged along with the encrypted passwords
while storing.
- Make sure the users use passwords
according to standard guidelines like the USSC passwords Strength
and security guidelines. Users must be encouraged to use passwords
longer in length and with symbols, capital letters and
numbers.
- Passwords should not include
username and or email id.
- Normally single words are not long
in length. Therefore to avoid the user entering passwords
containing single words, the software should guide the user tp
enter passwords atleast 10 in length. Hackers can look up the
dictionary for common words, slangs.
- The should be system to force use
of rules like atleast one capital letter, one numerical, and a
specail symbol along with the specified length. Guide the users to
not use common words like p@ssw0rd123, though this may fullfill
alll the requirements above, but still its a guessable
password.
- No employee should be allowed to
take the confidential data of the organization to his/her home with
any reason. The laptops brought to the organization premises must
have some rules of the organization.
- The users must be notfied the login
to their account if any suspicious activity if found.
- The system administrator should
also get notofication of any access to the system from a
non-familier ip address.
* Conclusion: Data
breach is a malpractice to steal the data from the users and
government offcials should have some principles that companies
should follow else stern action must be taken.