Business Case: Lax Security at LinkedIn Exposed

Figure $5\mathrm{.}12$ LinkedIn data breach overview.

On any social network, most users mistakenly believe that their privacy is only as good as the privacy of their most careless$$or temporary$$friend$.$ In fact, weak passwords and hackers can deprive users of all privacy.

Business social networking site LinkedIn was hacked

in June $2012($Figure $5\mathrm{.}12).$ Hackers stole $6\mathrm{.}5$ million pass$-$ words and e$-$mail addresses. This data breach was discovered by IT security experts when they found millions of LinkedIn passwords posted on a Russian underground website

$($Figure $5\mathrm{.}13).$ Experts also determined that a hacker named Dwdm was asking underground members for help in cracking the stolen passwords. Within only two days, most passwords were cracked. Why were LinkedIn$$s passwords cracked so quickly? The simple answer is that LinkedIn was using an outdated encryption method instead of up$-$to$-$date industry$-$ standard encryption. As a result, members$$ passwords were really only camouflaged$$and crackable.

LinkedIn Criticized for Bad Data Security

What could hackers do to your online accounts if they had your passwords for $48$ hours and you did not know? That is what LinkedIn allowed to happen by waiting two days before

notifying members that their passwords had been stolen. The company took a lot of criticism for not notifying members

via Twitter or Facebook immediately. According to the chief executive of the Public Relations Consultants Association, Francis Ingham, LinkedIn ignored the first rule of crisis man$-$ agement, which is to be first to tell your customers.

What surprised customers and IT security experts was that a company that collects and profits from vast amounts of data had taken a negligent approach to protecting it$.$ Figure $5\mathrm{.}14$ explains why it was surprising and alarming that LinkedIn$$s password protection was weak.

E$-$mail Addresses Are Universal Usernames

At most e$-$commerce and social sites, usernames are e$-$mail addresses$$making them our universal username for online accounts. If the e$-$mail is a work account, then everyone also knows where we work and our login name. Therefore, know$-$ ing users$$ usernames and passwords provides authorized access to corporate accounts with almost no risk of being detected. Hackers attacked LinkedIn to gain access to over $161$ million members$$ credentials as a means to gain access to much more valuable business network and databases. Business Risks and Collateral Damage

The hack caused the following business risks and collateral damage.

$$ Takeover of members$$ other accounts by hackers, fraudsters, and other criminals. Hackers know that people reuse passwords; once their LinkedIn accounts are linked to Facebook and Twitter, far too much informa$-$ tion may be revealed. Knowing where people worked and their e$-$mail accounts allowed hackers to quickly use the stolen LinkedIn passwords to log in to corporate accounts, online bank accounts, and so on to steal more data or transfer funds.

$$ Damage to LinkedIn$$s biggest revenue source$$its advertising business. LinkedIn$$s financial success is tied to its advertising revenues, which in turn are based on the number of active members and membership growth.

$$ Fines for violating privacy laws and regulations. Any company exposing the confidential data of customers or employees faces steep fines. Regulators impose harsh penalties for breaking privacy laws and not taking reason$-$ able care to defend against data breaches. Strict data privacy laws in states such as Massachusetts and California could keep LinkedIn fighting legal battles for years.

$$ Cleanup costs. The cleanup cost LinkedIn nearly $$1$ million and another $$2$ to $$3$ million in upgrades. Forensic work on the password theft cost another $$500,000$ to $$1$ million.

Data Security: A Top Management Concern

Data security is a senior management concern and respon$-$ sibility. It affects a company$$s operations, reputation, and customer trust, which ultimately impact revenue, profits, and competitive edge. Yet defenses that could help to prevent breaches are not always implemented.

Some experts argue that senior management continues to skimp on basic protections because computer security is not regulated$$that is$,$ until a business suffers a major crisis. After the data breach, LinkedIn implemented improved pass$-$ word storage encryption, hired private security and forensics experts, and called in the Federal Bureau of Investigation $($FBI$)$ to help investigate the security breach.

Jeremiah Grossman, chief technology officer of White Hat Security, estimated that it would have cost LinkedIn $$a couple hundred thousand dollars$$ to secure its members$$ passwords, Web servers, and applications $($Perlroth$,2012$a$).$

How This Attack Compares to Others

While $6\mathrm{.}5$ million leaked passwords represents a serious breach, it affected a relatively small percent of the more than $175$ million members LinkedIn had at that time. Overall, the LinkedIn breach, while somewhat costly$,$ did