A supersized cache of over 98 million users’ login names and passwords of Russian ‘Rambler.ru’ email service (equivalent of Yahoo offering email services, news and content), dating from 2012, has just been posted online for sale, with copies of the list offered at one bitcoin (£456).
Notice of the leak was first flagged in 2014 and Rambler forced users to change passwords and embargoed any previously used ones. However, the cyber attack revealed by Leaked Source which was verified with the help of Russian journalists, showed a complete lack of encryption or hashing. Instead the data was just listed in plain text.
Analysis of the long list of passwords showed that the character sequence “asdasd” was the most popular string used by more than 723,000 people, followed by “asdasd123”. This current revelation follows June’s public disclosure of another major breach suffered by more than 100 million users of the Russian VK.com service whose details were shared online.
We have often talked about an organisation’s ‘crown jewels’ being their data and safeguarding your data and that of your customers is a hugely important responsibility. There is also no ‘one size fits all’ remedy, as what may be appropriate security measures for one organisation will be different to another.
However, companies focus their strategy by adopting a risk based approach to deciding what level of security is required and where – and to ask pertinent security questions from any third party contractors and suppliers used.
ISO 27001 Information Security Management System (ISMS) provides a risk based approach to data security. When rolled out through an organisation it can push down through the supply chain to raise standards with third party contractors and suppliers. Whilst no organisation can be guaranteed to remain 100% free from threat 24×7, any company large or small that creates a robust and regularly monitored cyber security posture, will be better prepared to fend off, or respond quickly and effectively through regularly tested policy to a breach. What this means for the firm’s customers and stakeholders are higher levels of assurance, as well as enabling you to meet growing legal and regulatory data protection obligations.