Security Fridays: Week EightMichael Urgero 02/04/2020 Industry News
Why passwords are not strong enough: the rising need for MFA
Sometimes you just have to wonder if they do it on purpose. Bad design, bad engineering. The French sporting company Decathlon recently experienced a significant data theft event where a 9 GB database was copied out of the company and mined for its content. How lovely. The database contains personally identifiable information (typically referred to as PII) on customers and employees. Parts of this dataset included unencrypted usernames, passwords, social security numbers, address details, email addresses with credentials, and the lot. Yep, that’s right, and I said it – unencrypted. It’s a virtual treasure chest of data that’ll be sold off and used for identity theft and other hacking exploits around the globe. Remember my last post where we talked about how people generally use the same password or similar ones across accounts. So, your password here at Decathlon could be the same password you use for your online banking account or your Instagram.
Decathlon is downplaying the breach, saying that despite the size of the database, only a small portion of it relates to employees and customers. I’m not entirely sure I’m sold on that, but it’s what they’re telling the general public.
This is 2020, and for the last two decades, we’ve been fighting some of the most severe data breaches of our time. Starting in the early 2000s with servers getting hacked due to vulnerabilities integrated in operating systems, to today where there is a market for such data and selling data like this can provide for a very lucrative payday. How could anyone design a database application and leave the data unencrypted? Why did they create it this way? How was it not a risk identified by the organization that reviewed the design and authorized the database and its applications to be developed?
In my opinion, this was no oversight. Someone made off with hundreds of thousands of records (an estimate, because they’ve not yet disclosed the exact number) and are selling this data for profit. They have to be because this level of ignorance is stunning. I’ll also be okay if I’m wrong. Still, then someone will have to explain to me how – in the year of our lord, two thousand and twenty – that a development team with the chops to code an enterprise application at this size could be so foolish as to leave all the valuable data completely unprotected and unencrypted.
Once again, people around the world are receiving secondary levels of identity theft, account breaches and more because one small retailer failed to do their job.
Read the article that was analysed here: www.infosecurity-magazine.com/news/sports-giant-decathlon-leaks-123/