Top menu

01/06/2017

Yahoo’s massive data breach and the aftershock for corporate data security

Yahoo’s latest data theft affected more than one billion accounts, which is roughly double the number involved in the separate data breach incident it announced in September 2016.

A BILLION hacked accounts. It’s hard to fathom.

You might say “they’re just personal Yahoo email accounts, so who cares?” But the hack went beyond just accessing a person’s email account, as Yahoo wrote in their security notice: “The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

So, not only will this massive data breach foster a lot of phishing attacks (for example, “to update your Yahoo email account, click here”), but it also places in the hands of hackers and others, user passwords as well as their preferred security questions and answers, which are often used on other sites to verify identity.

Sure, you can change your password, but you can’t change your birthday, mother’s maiden name, the name of your first girlfriend or the model of your first car. These types of security questions are common on data sensitive sites that include financial services, cloud storage, and other webmail sites.

Once your common security questions and answers are compromised, malicious hackers can use this information to get access more information stored on other sites, and not just your Yahoo email. In the security industry, these are called “aftershock breaches” where the initial breach continues to reverberate and cause additional breaches on other sites.

From a corporate data breach perspective, we all know that employees are using cloud storage and web based email to circumvent established data security policies. Why do they do it? Well, the answer is simple, they just want to get their jobs done in the easiest and most effective way possible. If that means occasionally uploading sensitive corporate files to a cloud storage service or webmail, so be it.

But a massive data breach like Yahoo’s, with passwords and security questions/answers now out “in the wild”, puts these cloud-based services at risk of an aftershock breach.

When staff are using these services as a way to “get things done” while circumventing your data security policy, it places your sensitive corporate data at risk. Even if your employee didn’t upload the file to their Yahoo email account, it really doesn’t matter. Hack one site, hack many sites.

How do you stop your employees from uploading corporate data to non-authorized sites? Most companies rely on sternly worded policies, the “thou shalt not upload corporate data” commandment. But as we’ve seen time and time again, a security policy without the technology based enforcement like DeviceLock DLP provides, is doomed to fail.

Perhaps after the 3rd time that your employee receives the DeviceLock generated custom message “You are not permitted to upload corporate data to external sites” and blocks the file from transferring, maybe they will get the hint that your security policy is not just a polite “suggestion” but the law at your organization. Moreover, our event logs and data shadowing capabilities provide you with the ammunition to take even more direct action to stopping the policy violations if they continue to occur.

A billion hacked accounts are a huge number, and there is a very good chance that the identity and security of your employees has been compromised. Don’t let the Yahoo hack turn into a data breach risk for your organization. Take the steps to ramp up your data security with a “best in class” endpoint data leak prevention (DLP) solution.It’s easier and less expensive than you might think.

For more information on how DeviceLock DLP can minimize the impact of the Yahoo breach on your corporate data, please call us at 925-231-4400 or email us.sales (at) devicelock.com and talk with one of our endpoint security specialists. You can also trial the DeviceLock DLP Suite for 30 days at: http://www.devicelock.com/download.