The Uber hack was an object lesson in the perils of trusting a company to report a data compromise in a timely way, which is why a new hack notification workaround developed by a cybersecurity firm is newsworthy.
Cybersecurity firm Tripwire has figured out a way to detect unreported compromises.
The impulse to hide evidence of an attack, and keep things mum for as long as possible in the event one happens is strong. Uber affected 57 million consumers. That’s not a selling point. Since there is ample motivation to guard reputation by covering up data compromises, consumers may feel like they lack the data needed to choose service providers and retailers wisely.
Breach notification laws exist in 48 states and 4 jurisdictions, but the penalties for ignoring those rules are not as steep as the potential for lost business.
Tripwire’s fix involves the creation of email address/password combinations registered at different sites and then monitoring those accounts to see if a login occurs. The logic here is quite simple. The accounts were strictly for research, so if there has been a login it means there had been a breach. They are essentially placing tripwires around the forest and waiting for one to be sprung.
Out of the 2,300 sites monitored, 19% of them were compromised. To make matters worse, only one of those sites forced a password change.
The takeaway: You need to be vigilant. Always practice the three Ms as described in my book, Swiped and use a password manager to make sure every account you use has a unique security key.
Here are the three Ms:
And here’s the whole story.