News last week of the Quora data security breach should serve as a wake-up call for all businesses. The widely used question-and-answer website was compromised by a malicious third party, impacting the account information of approximately 100 million users, including names, email addresses and encrypted passwords.
The breach was discovered on Friday 30 November and reported on Monday 3 December, in keeping with the 72-hour public disclosure window required under GDPR.
Another enormous data security fail
Of course, this data security breach comes hot on the heels of an even bigger data security fail at Marriott International. The organisation discovered hackers had accessed the reservation system of its subsidiary Starwood for four long years. During this time, the hackers had helped themselves to sensitive personal information from as many as 500 million guests. This included home addresses, birth dates, email addresses, phone numbers, flight information and passport numbers — the entire kit and caboodle.
In a blog post about the Quora data security breach, chief executive Adam D’Angelo didn’t mince his words:
It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again. There’s little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private. We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust.”
Data safety precautions
In the same blog, D’Angelo explained that the company was in the process of notifying users whose data has been compromised, and had taken some data safety precautions:
Out of an abundance of caution, we are logging out all Quora users who may have been affected, and, if they use a password as their authentication method, we are invalidating their passwords.
We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements.
We will continue to work both internally and with our outside experts to gain a full understanding of what happened and take any further action as needed.”
Attacks are not a matter of if, but when
These latest data security breaches raise more important questions for all CEOs, CIOs, and Chief Security Officers: Are your security practices and systems up to the task of safeguarding the personal information you collect from users?
As we outlined in a previous blog on notifiable data breaches, the only way you can avoid the fallout of a data breach is to prevent it happening in the first place by following industry best practices:
- Employ adequate encryption
- Actively address known IT vulnerabilities
- Ensure software is up to date
- Undertake adequate system scans
- Perform routine security reviews.
The Quora data security breach won’t be the last
At the same time, smartphones represent an ever present risk for enterprise data security. Devices with larger storage capacities enable users to store more sensitive information on them, increasing the risk associated with data leakage.
Assess your risk
All companies, regardless of size, should expect to be targeted by attackers. Until enterprises can adequately protect their customers, this threat will not go away. Use our data risk calculator to assess data risk in your organisation.
Contact us to find out more on how you can enhance security threat defence policies, procedures, and security technologies to mitigate your data security risk.