The recent breaches suffered by Marriott Hotels and Quora once again highlight the importance of security in the digital economy and how users need to adopt the right procedures to try to protect their data.
In the case of Marriott, the data of some 500 million people who stayed in hotels belonging to W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Tribute, Le Méridien, Four Points and Design Hotels, as well as timeshares, including names and addresses, telephone numbers, e-mail addresses, passport numbers, loyalty program identifiers, date of birth, sex, stay data, communication preferences and, in some cases, credit cards with their expiration date. The data was encrypted with AES128, but it’s possible the encryption keys could also have been stolen. This is a major disaster that could give criminals access to other services and even allow them to carry out identity theft.
The Quora breach affects 100 million users, many of whom didn’t even know they had an account with the question and answer site. Again, we’re talking here about encrypted passwords, name, email addresses, data possibly imported from other social networks linked to the account, and all relating to the site and that could be used for a wide range of profiling activities.
About two months ago, Facebook also announced the theft of information that affected thirty million users, and previously, there have been many others. As users, what should we do in these cases? Our exposure depends, fundamentally, on our security practices. The first thing to do is to try to find out what information has been affected by the theft, assuming that this information is available to anyone who wants to use it to commit some type of theft or fraud. The company’s response in that regard is very important: in the case of Marriott, we’re talking about a security disaster: the company notified the problem to all its users by email–but instead of using its corporate address, it did so via firstname.lastname@example.org, which was registered to a third party firm and the page neither loads nor has an identifying HTTPS certificate. The company put its customers in even more danger, potentially exposing them to phishing scams from similar domains with small variations. This isn’t just about bad security practices, but shows how the security of the companies that manage our information is not being handled by the right people.
It all comes down to our security practices. If you’re somebody who uses the same password for every site you visit “because it’s easy to remember”, you have a problem: you’ll have to go back to all the sites you’ve used that username and password on and change them all. Remember: the first step for cybercriminals is to try the username and password they have stolen on sites where they can buy stuff or obtain additional data. Criminals will sometimes set up sophisticated schemes to attack a specific person, either because they have a visible public profile or in response to something that person has done, but usually, they are simply looking for reasonably easy targets they can make money from. If you use the same password or slight variations on it everywhere, you are definitely at risk.
Considering the vulnerabilities of many of the sites where you’ve opened accounts in recent years, it’s likely you’ve had your password stolen at some time from a page that’s been hacked. You can try checking this by entering your email on sites like have i been pwned?, which are reliable and include many of the files of recently published security breaches. The problem is that your password and username could have been stolen months or years ago, while companies take a long time to report data theft. Which is why, if you haven’t already done so, it’s definitely time to end those bad security practices and start using a password manager. If you manage an organization, you can do something even better: deploy a password manager as a standard security practice for all your employees. In cybersecurity, humans are always the weakest link.
A good password manager is not a security risk: if someone manages to access their files, all they’ll find are encrypted password lists that will be of no use to them. If we use a good password manager and are minimally systematic about it, password issues are solved simply by asking the manager to assign a password for each site we visit, that like all the others, will be random and impossible to remember, and that, in addition, will be unique to that site. This minimizes the problem in case of theft. If you are one of those people who think of a password and remember it or write it down, then for your own good, you’re going to have to change. Passwords as we know them have outlived their time.