Weekly Podcast: Every Yahoo! account breached, Equifax update, Conservative conference

This week, we discuss 3 billion compromised Yahoo! accounts, the latest Equifax news, and Home Secretary Amber Rudd’s opinion of technology experts.

Hello and welcome to the IT Governance podcast for Friday, 6 October 2017. Here are this week’s stories.

You’ll remember that when news of Yahoo!’s 2013 data breach emerged last December, it was estimated that, based on analysis of data files provided by law enforcement, a staggering 1 billion customer records had been compromised. This was on top of the company’s admission last September that 500,000 users’ information was affected by another breach in 2014. It wasn’t clear at the time how much the two data sets overlapped, but this week comes clarity. Yahoo! has revised its numbers – significantly. The actual number of accounts breached in 2013 is… 3 billion. In other words all of them. So now we know.

The company was bought by Verizon earlier this year for $4.48 billion – the price having been reduced by $350 million because of the breach. Following the acquisition, Verizon conducted its own investigation into the breach and found that all accounts that were in existence in August 2013 had in fact been affected.

According to Yahoo!’s FAQ page, “the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers”. Cleartext passwords, payment card data, and bank account information were not affected.

As I said last December, MD5 is not considered a strong hashing algorithm, so passwords encrypted with it shouldn’t be considered safe. Although Yahoo! required all users to change their passwords at the time, those who are in the habit of reusing their credentials across multiple sites are still at risk wherever they’ve used the same password. I’ve said it before and I’ll say it again: use a password manager.

Talking of large-scale data breaches, Equifax took a further battering this week when it emerged that the IRS signed a $7.25 million contract with it last month. According to Politico, senators reacted with incredulity. Senate Finance Chairman Orrin Hatch said: “In the wake of one of the most massive data breaches in a decade, it’s irresponsible for the IRS to turn over millions in taxpayer dollars to a company that has yet to offer a succinct answer on how at least 145 million Americans had personally identifiable information exposed.”

That succinct answer came when Equifax’s former CEO Rick Smith appeared before a congressional hearing this week, in his first public appearance since disclosing the data breach. Smith was – unsurprisingly – very apologetic.

Testifying before the House Committee on Energy and Commerce, Smith said that human error and technology failures had led to the Apache Struts vulnerability that gave criminals access to Equifax’s systems not being patched.

Congressman Greg Walden didn’t hold back, expressing astonishment that a company of Equifax’s size could have allowed so much data to be compromised. “How does this happen when so much is at stake?” He said. “I don’t think we can pass a law that – excuse me for saying this – fixes stupid.”

Here in the UK this week, a lot of column inches have been devoted to the Prime Minister’s conference speech, the contents of which I, like – I suspect – many people, have already forgotten, overshadowed as they were by coughing fits, letters dropping to the floor from the slogan behind her and prankster Simon Brodkin handing her a P45. However, there was also some information security news from Manchester.

According to the BBC, the home secretary, Amber Rudd, who, coincidentally, is no stranger to pranksters herself, told a Spectator fringe meeting at the Conservative conference that she was fed up with “patronising” technology experts “sneering” at politicians, and once again expressed concern about end-to-end encryption and how criminals could take advantage of it, despite admitting she didn’t understand it.

“It’s so easy to be patronised in this business,” she said. “We will do our best to understand it. We will take advice from other people but I do feel that there is a sea of criticism for any of us who try and legislate in new areas, who will automatically be sneered at and laughed at for not getting it right.”

Michael Beckerman, the chief executive of the Internet Association, which represents technology giants including Google, Microsoft and Amazon, commented that encryption couldn’t be uninvented, and noted that “even if every internet company that we represent said ‘ok we are turning off encryption’ you are just weakening the security for everybody in this room but that math, that technology still exists for others to use on other platforms.”

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.