Weekly podcast: Yahoo breached again, plus TalkTalk and Ashley Madison

This week we discuss the compromise of another 1 billion Yahoo records, the sentencing of the boy responsible for the TalkTalk breach, and Ashley Madison’s $1.6 million settlement.

Hello and welcome to the IT Governance podcast for Friday, 16 December – the penultimate podcast of a year that, let’s face it, has been more than a little turbulent. Next week, we’ll be rounding up the best – or perhaps I should say the biggest – news of 2016, but, for now, here are this week’s stories.

Obviously, we have to start with Yahoo. Even recluses will have heard about this story, of course, but this is the biggest data breach in history so we can’t ignore it. The troubled search giant has disclosed that one billion customer records were stolen in 2013, which, on top of the company’s September admission that 500 million accounts were breached in 2014, is astonishingly embarrassing.

There may be some overlap between the two data sets, but that still means that at least one billion Yahoo accounts were affected. (For reference, there are about 3.5 billion Internet users in the world at the moment. And to think some people still think data security isn’t something that affects them.)

Yahoo’s chief information security officer Bob Lord said:

“For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. […] Payment card data and bank account information are not stored in the system the company believes was affected.”

Yahoo has provided more information about the incident – and what users should do – on an FAQ page.

It’s worth mentioning that MD5 isn’t a strong hashing algorithm, so passwords encrypted with it shouldn’t be considered safe.

A 17-year-old boy who admitted to offences connected to last year’s TalkTalkdata breach – which cost the company an estimated £42 million and a record £400,000 fine from the Information Commissioner’s Office – was sentenced at Norwich Youth Court this week. (Coincidentally, 17 is the average age of suspected cyber criminals according to analysis conducted by the National Crime Agency’s National Cyber Crime Unit last year.) The teenager, who can’t be named for legal reasons, was given an £85 fine and a 12-month rehabilitation order, and his hard drive and iPhone were confiscated.

The Telegraph reports that the defendant’s lawyer, Chris Brown, said the purpose of the order was to “draw him from the lonely confines of a bedroom and that lonely world of computing to a family where his knowledge and skills could be put to good use and to project that out to the wider world”.

According to the BBC, ‘chairman of the bench Jean Bonnick told him: “Your IT skills will always be there – just use them legally in the future.”’ If he does decide to use his IT skills legally, he’ll probably do well – there’s a huge skills shortage in the IT security sector, which is only likely to get worse as companies rush to comply with the GDPR.

Another company that was breached last year was the hook-up site Ashley Madison, which, you’ll remember, saw some 36 million users’ account details dumped online. The company behind Ashley Madison, ruby Corp. (formerly Avid Life Media), this week agreed to pay a $1.6 million settlement, apparently unable to stump up the $17.5 million the Federal Trade Commission (FTC) and state authorities originally wanted.

In a statement about the settlement, ruby said that it “has agreed to maintain a comprehensive information security program and refrain from past business practices that may have allegedly been misleading to consumers.” ruby was at pains to point out that it “neither admits nor denies the allegations made by the FTC and the State Attorneys-General.”

And what were those allegations, I hear you ask. According to an FTC press release, the “defendants engaged in unfair security practices by failing to take reasonable steps to prevent unauthorized access to personal information on their network, causing substantial consumer harm.”

Daniel Therrien of the Office of the Privacy Commissioner of Canada commented: “In the digital age, privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live.”

Well, that’s it for this week. As ever: if you enjoy these podcasts, please share them using the hashtag #itgpodcast, and, until next time, when we’ll discuss the biggest stories of 2016, remember that you can keep up to date with the latest information security news on our blog. And don’t forget to check out December’s book of the month, The Security Consultant’s Handbook by Richard Bingley. Distilling the author’s fifteen years’ experience as a security practitioner, and incorporating the results of some fifty interviews with leading security practitioners and a review of a wide range of supporting business literature, The Security Consultant’s Handbook provides a wealth of knowledge for the modern security practitioner. Save 10% if you buy by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.