Welcome to the August 2016 issue of the Computing Security Newsletter
The recent scandal over O2 cutomers’ data appearing for sale on the dark web shook many, not least those directly affected. O2 says it was not a victim of a data breach – hackers actually stole the data from another source nearly three years ago – but that has left many unimpressed.
Richard Stiennon, chief strategy officer at Blancco Technology Group, is one of many in that category who have contacted Computing Security to express their concerns. He believes that O2 claiming it has been a victim of ‘credential stuffing’ is an insufficient excuse.
“According to O2, this isn’t a data breach per se,” he says. “Instead, they’re classifying it and their business as being the victim of a hacking tool called ‘credential stuffing’. In this case, hackers used ‘credential stuffing’ to breach a gaming site called XSplit and subsequently stole members’ login details three years ago. Then, in 2016, the hackers were able to match gamers’ login details from XSplit to indirectly hack into O2 users’ accounts.
“The major issue here is that a lot of people reuse the same usernames and passwords for various digital site logins. And at the same time, many of those digital sites and companies have a low-level authentication process in place to validate user account information.
“A good start for O2 would have been to introduce a multiple point authentication system, because human nature dictates that people aren’t going to stop using the same login details, but organisations still owe their customers complete data protection,” Stiennon points out. “And considering cyber-crime is now a bigger threat than traditional crime in the UK, it is more important than ever for companies to take data protection very, very seriously.”
To make sure you get your copy of the Newsletter emailed to you personally, every time, click here to register.
Brian Wall, Editor
Follow us :