Learning from LinkedIn’s Data Breach

Learning from LinkedIn’s Data Breach

Data security is usually the province of information technology departments. Not so for LinkedIn. Early in June 2012, there were reports of hackers leaking 6.5 million user passwords. The company said it was “looking into” the report — and then things got really bad. LinkedIn confirmed the loss and directed users to change their passwords. No matter that too many people used such easy-to-guess choices as “12345” or “password.”

LinkedIn was responsible for the data breach, as well as not adequately encrypting the data so hackers could easily find what they were looking for. So what if dating site eHarmony and CBS music site Lastfm.com (which contain a large amount of payment and personal information) were also hit by breaches? Criminals immediately exploited the news to send fake emails calculated to get people to unknowingly download malware. That just spread the problem even further.

Now the lawsuits have already started. The first is for $5 million. Who knows how big and frequent they’ll get? Strict data privacy laws in such states as Massachusetts and California could keep the company jumping through hoops for some time to come. Security may be conducted and administered by IT, but the topic is ultimately a concern for management because it has an impact on strategy, operations, legal issues, and reputation. All that translates into an impact on business, revenue, profits, and competitive edge. If you have a business degree and didn’t learn that lesson in class, it’s time to study it now.

If a business keeps significant data on customers–and which ones don’t?–it is vulnerable to data breaches. Size doesn’t matter. Remember that last year Sony saw a massive online break-in. Smaller companies are also not invulnerable. According to analysis by security vendor Symantec, 40 percent of targeted hacking attempts focus on small to medium businesses. Blaming IT is easy, but it doesn’t go far if management has not been responsive itself to the information security needs of the company.

CEOs that refuse to spend the money on what CIOs insist is a necessary foundation of security cannot reasonably point a finger anywhere but at themselves. Proper protection may seem like money spent to no end, but if someone breaches your system, that price tag might seem low in comparison to what a company could spend. Beyond a company’s own walls, security should be a concern to management. Vendors, business partners, customers, and employees can further expose a company to the effects of data insecurity if they effectively expose passwords, user names, and other critical information that may be reused from one place to another. Someone’s old password on LinkedIn may be the same as the current password on an employer’s corporate systems.