Recently, DSLReports, an ISP news and review site suffered security breach. The breach led to the disclosure of information pertaining to 8,000 active and 90,000 inactive subscriber accounts. Data extracted by attackers include registered e-mail addresses and passwords. The organization has started notifying the affected subscribers. The website was subjected to SQL injection attack involving a botnet.
Ironically, the passwords were in plain text and not encrypted. While the organization has reset the passwords of the affected accounts, subscribers using same password at multiple accounts are exposed to multiple risks.
In another incident of data breach, a ticket sales representative of baseball team New York Yankees inadvertently attached an excel file containing information related to over 21,000 ticket accounts and dispatched along with a newsletter to several existing clients. The excel file contained information such as names, mailing addresses, phone numbers and e-mail addresses of account holders. Again, the excel sheet was not encrypted.
Organizations must ensure place high priority to information security. Passwords must be encrypted to reduce possibility of misuse. Employees must be guided on cyber security practices through e-learning programs or encouraged to undertake online university degree courses on cyber security.
Regular security evaluation through professionals qualified in masters of security science and information security may help in mitigating threat vectors and strengthening defenses against security intrusions.
While recent spate of data breach incidents may disillusion Internet users, they must take adequate precautions at their end to reduce misuse of sensitive information. Online degree courses on cyber security may help users in understanding different security threats and best practices. They must avoid sharing e-mail addresses arbitrarily on different sites. Use of strong and unique passwords is the basic premise of cyber security. However, users are required to login to multiple accounts such as social networking sites, bank websites, official web applications, databases and email ids in the course of daily activities.
Ease of remembrance and lack of uniformity in password policy across sites cause individuals to use common and insecure passwords. Passwords must not contain personally identifiable information such as name, date of birth, age, contact numbers and driving license numbers. Passwords must not have sequential letters and numbers. They must be a combination of numerals and letters, and in some cases special characters.
Passwords must contain both lowercase and uppercase letters. While remembering multiple passwords may be inconvenient, use of strong and unique passwords will reduce possibility of unauthorized access and misuse of information.