Detecting Data Breaches — Why the Excruciating Delay?

Around mid-September, 2016, Yahoo revealed that it had fallen to a massive data breach two years earlier. The company has not provided a timeline of the attack and when exactly the discovery was made. Even more shocking was the fact that someone, presumed to be the attacker, was found to be selling the data online, with records “likely from 2012”, consisting of login credentials and personal user information.

According to a sample of the data, it contains usernames, hashed passwords (created with md5 algorithm), dates of birth, and in some cases back-up email addresses.
— VICE Motherboard

This means that the damage doesn’t stop with one’s Yahoo account; the leaked information can be used to gain access to other websites, including banks, file storage services and even steal a person’s identity by correlating it with other stolen data.

Given the gravity of the situation, why did it take them at least two years to respond? Yahoo isn’t the first (and not likely the last) to be slow on the the draw — this is a security issue plaguing companies in general, for containing both internal and external attacks.

Playing a Rapidly Changing Game with Last Year’s Rules

According to a recent survery of information security professionals, threats have become increasingly difficult to detect. Close to 70% of the respondents echo this sentiment, and only half of them claim to be monitoring critical assets. More interesting is the fact that only ~35% leverage user behavior or predictive analytics, to detect threats before significant damage is done.

This lackadaisical approach to security does not match the level of sophistication employed by attackers. Writing rules that stops certain activity, or to alert a system administrator is a practice that has been around for decades, but the attack may happen over week months, or even months. For example, a government contractor was found to be hoarding sensitive data over several years.

Additionally, adoption of new technology brings new features to the masses, along with new security holes. A recent version of Apple’s iOS included a security flaw which permitted users’ phone calls, messages, chats and even locations to be tracked. Thirty years ago, we’d be worried about telephone wires being tapped, but the stakes are higher in today’s world.

Response Time is King

Faster the detection, faster the recovery. (from Insider Threat Report, linked above)

Prevention is better than cure, but a faster response is better than a lethargic one. According to a 2015 report, the average resolution time of a cyber attack is 32–45 days. By this time, attackers would have likely breached additional systems within the organization, sold the data to the highest bidder, or even used the stolen information to break into other systems (as is in the case of stolen passwords and other personal data).

With security investigators and company executives being bombarded with too much information, it becomes difficult for them to prioritize one over the other. The infamous Target credit card breach is a good example of how good detection doesn’t always result in good resolution.

Take Control of Your Security

Doubtless, even the best companies today have trouble securing their information systems. The cavalry may not be charging down the nearest hill when there is a battle. So what’s the next best thing to alleviate the problem? We, as consumers and individuals, taking control of the security of our data.

  • Keep abreast of data breach notifications in the news and on social media. While these often follow delayed public statements made by the affected organizations, it is better than sitting in the dark.
  • Change your password and use a strong password, if you suspect a breach. Caveat emptor; this is useless when the company does not internally secure the information in its databases, increasing the susceptibility to theft.
  • Do not offer unnecessary personal information on while signing up on websites. If they want only your email address, your name being optional, do not provide your name.
  • Delete and unused or unwanted accounts (Highly likely to be happening to Yahoo right now).
  • Finally, never forget that nothing is private on the internet. Once it is out there, it is very difficult to scrub it off. This may sound extreme, but life becomes a lot simpler when you accept it.

Securing your data does require extra effort, but it is worth your privacy and peace of mind.