“We are writing to let you know that we recently discovered that some user data was compromised as a result of unauthorised access to our systems by a malicious third party. We are very sorry for any concern or inconvenience this may cause.”
That was the message that knowledge sharing website Quora sent to up to 100 million customers in recent days, following the discovery that an unknown third party had accessed its systems. Quora is a question-and-answer website, with queries ranging from what it's like to live in Ireland to why certain fast food chains only sell Pepsi. Questions can be asked anonymously or under an account, but to answer, you need to sign up.
Anonymous questioners are safe, but those who signed up are now facing the prospect of a round of password changes. Account information, including names, encrypted passwords and email addresses, were all at risk, along with any data users imported from linked networks such as Facebook or Google.
Breaches
It has become an all too familiar story. Quora is just the latest in the list of companies that have fallen victim to data breaches, with hotel chain Marriott informing its customers on Sunday their databases had been breached and information put at risk. The legal actions have already begun to trickle into the courts.
In November, Uber was hit with fines in the UK and the Netherlands for a breach that involved 57 million customers. In that case, the company didn't report the data breach immediately, but instead it paid hackers to destroy the stolen information.
The fact that the company had failed to inform users compounded the offence, leaving their customers unaware that they needed to take steps to secure their online accounts. It was a move that has cost the company financially; on top of the initial $100,000 payment to hackers, the British authorities fined the firm €435,000, and the Netherlands hit Uber with a €600,000 penalty. In the US, Uber had to pay a record $148m to settle claims arising from the incident with all 50 US states and the District of Columbia.
Facebook is also facing the prospect of a massive fine for a data breach it revealed in September. Some 30 million accounts were affected by the attack, and hackers were able to access personal information – name, relationship status, birthdate, workplaces, search activity, recent location – for about half of that number.
The Data Protection Commissioner has officially opened an investigation into the matter, and if any users affected by the breach are in EU countries, GDPR means the social network could see a hefty fine.
Theft
The Facebook attack didn’t include financial information,but it did include some details that are more difficult to change that a few credit card numbers. Dates of birth are more identifying and, obviously, impossible to change. Add in some location data and family details, and you have a recipe for identity theft.
Quora was quick to reassure its customers that the likelihood of identity theft was low, as it doesn’t hold financial data or identifying information such as social security numbers. But while it may be a minor inconvenience for some users this time, it could be a problem for others.
Take the recent spate of ransom demands that landed in inboxes all over the world. The email informed recipients the hackers had potentially damaging video of them and by way of verification, included a password that the recipient had used at some point. For many, this was where the ruse failed; the password was old, gleaned from one of the many data breaches in the past and long since changed. But it may have fooled those who do not change passwords, or who reuse the same ones across their accounts.
That is, of course, one of the simplest security rules to follow: don’t reuse passwords. Do, and if a hacker has one, they have them all. It’s a tricky situation to unwind in an age where all our identities are linked to our online accounts.
The truth is that we can’t completely rely on companies to keep our data safe, so we have a choice: don’t provide it, by either using throwaway accounts and fake data for services that require some sort of information to use them; by making sure our passwords are as strong as possible, thereby limiting the damage done if an attack occurs; bumping up security by using two-factor authentication where available; and by keeping a close eye on accounts, both financial and otherwise, for evidence of malicious activity.
That, and keeping our fingers crossed and hoping for the best.