We read constantly of data breaches and of sensitive data being made available for sale on the ‘dark web’ – indeed as I reported here in February sometimes not even on the dark web.
While we at Compliance3 tend to concentrate on the security of, and potential threats to, card data; the recent report from CIFAS suggested that any personal data can be used by criminals in creating identity theft profiles.
For example, we learned recently that the online dating site ‘Muslim Match’ has been breached and some 150,000 log-ins have been made available for sale online, along with nearly 800,000 potentially very private messages between users.
The data, which has been confirmed as genuine, includes Skype handles. And, given the sensitivity of some of the breached data, along with potential religious and cultural taboos, the risk of hacked users receiving blackmail threats are potentially higher than for other similar compromises at more ‘western’ sites like Ashley Madison, Match.com or Plenty of Fish.
That said, the Daily Mail reported back in August 2015 (here) that some leaked Ashley Madison clients had been driven to commit suicide.
And, once again, the breach at Muslim Match doesn’t look to have been too sophisticated, possibly a relatively simple SQL injection. One user of the site told the website Motherboard “I feel disappointed, but the site didn’t seem to be secure in the first place. They never used https.”
At the time of writing, the Muslim Match site is down showing a message “We have been made aware of an alleged security breach and are reviewing our systems as we work to remedy the situation and tighten our security.”
We’ve all read cringe-worthy tales of embarrassing and ill advised emails going viral; is there anything stored on a corporate server – anywhere – that you wouldn’t want made public?
Javeed Malik of Alienvault summed it up : “Where possible, people should consider information on websites to be publicly available,” he argued. “Therefore, they should consider what photos and information they post and share and the potential impact if the content is shared broadly.”
Whether insecure or not, the simple fact is that companies continue to suffer data breaches, and it’s up to us customers to gauge our own risk appetites.
And, of course, if you’re responsible for storing sensitive data, please make sure it’s secure.