South China Morning Post
Advertisement
Advertisement
Photo: Elhombredenegro
TechEnterprises

Companies must be willing to go to war against hackers to protect sensitive data, or stop collecting it: experts

James Griffiths
Why you can trust SCMP

As the fallout from the major hack attacks on infidelity-dating site Ashley Madison and the US Office of Personnel Management continue, experts say we may need to reassess how much data is stored on users if it cannot be protected. 

More than 50 million people had personal and sensitive data exposed in the OPM and Ashley Madison hacks, which were discovered in April and July of this year, respectively.

READ MORE: Most adulterous area of Hong Kong revealed: Ashley Madison 'cheating map' shows surprising results

They came in the wake of major data breaches at Sony Pictures, late last year, and Target, which agreed in March to pay out US$10 million to those affected. 

"If you can't protect it, don't collect it," Richard Bejtlich, chief security strategist at US cybersecurity firm FireEye, told the South China Morning Post.

"We have to come to terms with the idea that no one really has the ability to keep a determined intruder out of your enterprise." 

Unless companies are willing to pay for expensive detection and response systems – that fight a sort of guerilla war against attackers within the system, with the intention of frustrating them enough that they seek another target – it is highly unlikely they won't someday be breached, Bejtlich said. 

"[In that case] reduce the amount of data you have, get rid of sensitive data if at all possible, so you don't have to carry around the burden of protecting it." 

David Shearer, chief executive of certification and security firm (ISC)², agreed. 

READ MORE: Third of Hong Kong apps vulnerable to hack attacks as watchdog calls for urgent security improvements

"If you're going to collect personally identifiable info on anyone and you don't have a high confidence of protecting it, then don't collect it," he said. 

As an investigation by the Post discovered, contained within the gigabytes of data released by the Ashley Madison hackers were home addresses, dates of birth, phone numbers, and even sexual preferences. 
Members of the cheating site have been blackmailed, with criminals threatening to expose their data if they don't wire them untraceable bitcoins

According to US officials, the hackers who breached the OPM may have made off with even more sensitive data, including security clearance information and social security numbers. 

"Companies tend to hold more information and personal data than they need," said Jack Chan, a security strategist with research firm Fortiguard Labs. 

Data may not even be being used, he said, just collected for future data mining or marketing purposes. 

However, he warned that "it may be harder for a company to find the incentive or justification to reduce the amount of held information than to strengthen its protective measures". 

Asked whether there was risk that repeated high-profile hack attacks like the Ashley Madison or Sony breaches could lead to people feeling hopeless about protecting their data, Shearer compared the problem to a disease that is difficult to find and treat. 

"Is there just more cancer, or do we just have more tools to find it?"

As detection methods improve, and more hacks are detected, "there's a potential people become desensitised to it," he said. 

However, the large scale fraud that could come from a hack on the scale of the OPM attack has yet to be felt, he said, and "when people start to feel it hitting them" they will demand better practices across the board. 

"They'll demand to do business with organisations that can give them some semblance that they're taking seriously the protection of their personal information." 

Post