This week, we discuss a data breach at Mumsnet, no data breach at OkCupid, and a lawsuit against Apple for implementing security measures.
Hello, and welcome to the IT Governance podcast for Thursday, 14 February 2019. Here are this week’s stories.
The parenting forum Mumsnet has notified users of a data breach after a system update resulted in some account holders being signed in to others’ accounts.
Mumsnet’s CEO Justine Roberts told users: “There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February. During this time, it appears that a user logging into their account at the same time as another user logged in could have had their account info switched.”
Anyone erroneously logged in to another’s account would have been able to see their email address, account details, posting history and personal messages.
Mumsnet estimates that some 4,000 people were signed in at the time of the incident, but doesn’t know for sure how many users were affected; so far, only 14 users have confirmed that they were.
Roberts continued: “We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.”
According to the BBC, the Information Commissioner’s Office confirmed that it had received a data breach notification from Mumsnet and “would be looking into the incident”.
This isn’t the first time a software update or data migration has resulted in a data breach, and it certainly won’t be the last. That’s why it’s always advisable to conduct tests when changes are applied in order to determine whether new vulnerabilities have been introduced. You can find out more about security testing on our website >>
TechCrunch reports that the dating site OkCupid has denied suffering a data breach after users complained that their accounts had been hacked, and their passwords and associated email addresses changed.
One user who was locked out of his account reported being bombarded with “strange text messages from his phone number that was lifted from one of his private messages”.
This apparently “wasn’t an isolated case” – TechCrunch “found several cases of people saying their OkCupid account had been hacked”. Some eventually regained control of their accounts, others didn’t bother trying.
OkCupid’s support pages urge users to use “a unique password that has not been used anywhere else before”, and observe that account takeovers typically stem from credential stuffing attacks, in which crooks exploit users’ poor password practices by automating login attempts using lists of previously stolen credentials.
However, according to TechCrunch, several users “couldn’t explain how their passwords — unique to OkCupid and not used on any other app or site — were inexplicably obtained”.
Natalie Sawyer, a spokesperson for OkCupid, said: “There has been no security breach at OkCupid. All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid.”
One way of reducing the risk of credential stuffing attacks is to implement two-factor authentication where it’s available.
It’s not available on OkCupid.
It is available from Apple, but not everyone is happy about that.
Last Friday, New Yorker Jay Brodsky filed a class action against Apple for trespass, claiming that Apple didn’t get his consent before enabling two-factor authentication on his devices as part of a software update and, by being unable to disable it after 14 days, he and “millions of similarly situated consumers across the nation have been and continue to suffer harm” (that’s the filing’s grammatical error not mine, I should add).
His complaint relates to an Apple support page, which explains that “If you already use two-factor authentication, you can no longer turn it off. Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information. If you recently updated your account, you can unenroll for two weeks”.
Brodsky’s filing continues: “Plaintiff and Class Members have suffered economic losses in terms of the interference with the use of their personal devices and waste of their personal time in using additional time for simple logging in” – which Brodsky claims to be “an additional estimated 2-5 or more minutes” per login.
Apple Insider seems to have had better luck, reporting that it hadn’t “been randomly presented with any two-factor authentications on Saturday even following OS updates to an iPhone XS Max, an iPhone X, and two sixth-generation iPads, but was able to force the issue on a new device. The process took 22 seconds in total to accomplish.”
Whether it takes you 22 seconds or 5 minutes to type in a passcode, it’s important to strike an appropriate balance between security and productivity, and to ensure a good security culture pervades your organisation. Security teams can sometimes be unaware of how security measures can hinder users, and users are, in turn, often unaware of the impact of their behaviour on security risk management – or feel justified in finding workarounds, which ultimately increase risk.
That’s why information security awareness training for all staff is so important – especially when anyone in the organisation can cause a data breach.
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.