The recent breaches suffered by Marriott Hotels and Quora once again highlight the importance of security in the digital economy and how users need to adopt the right procedures to try to protect their data.
In the case of Marriott, the data of some 500 million people who stayed in hotels belonging to W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Tribute, Le Méridien, Four Points and Design Hotels, as well as timeshares, including names and addresses, telephone numbers, e-mail addresses, passport numbers, loyalty program identifiers, date of birth, sex, stay data, communication preferences and, in some cases, credit cards with their expiration date. The data was encrypted with AES128, but it’s possible the encryption keys could also have been stolen. This is a major disaster that could give criminals access to other services and even allow them to carry out identity theft.
The Quora breach affects 100 million users, many of whom didn’t even know they had an account with the question and answer site. Again, we’re talking here about encrypted passwords, name, email addresses, data possibly imported from other social networks linked to the account, and all relating to the site and that could be used for a wide range of profiling activities.
About two months ago, Facebook also announced the theft of information that affected thirty million users, and previously, there have been many others. As users, what should we do in these cases? Our exposure depends, fundamentally, on our security practices. The first thing to do is to try to find out what information has been affected by the theft, assuming that this information is available to anyone who wants to use it to commit some type of theft or fraud. The company’s response in that regard is very important: in the case of Marriott, we’re talking about a security disaster: the company notified the problem to all its users by email–but instead of using its corporate address, it did so via firstname.lastname@example.org, which was registered to a third party firm and the page neither loads nor has an identifying HTTPS certificate. The company put its customers in even more danger, potentially exposing them to phishing scams from similar domains with small variations. This isn’t just about bad security practices, but shows how the security of the companies that manage our information is not being handled by the right people.
It all comes down to our security practices. If you’re somebody who uses the same password for every site you visit “because it’s easy to remember”, you have a problem: you’ll have to go back to all the sites you’ve used that username and password on and change them all. Remember: the first step for cybercriminals is to try the username and password they have stolen on sites where they can buy stuff or obtain additional data. Criminals will sometimes set up sophisticated schemes to attack a specific person, either because they have a visible public profile or in response to something that person has done, but usually, they are simply looking for reasonably easy targets they can make money from. If you use the same password or slight variations on it everywhere, you are definitely at risk.