Many companies have been ‘hacked’, but please don’t make it THIS easy

Hacking is never far from the news these days.

Organisations are endlessly making the headlines after suffering a security breach, and finding themselves in the awkward position of explaining to the public why their personal data may have been put at risk.

But not all data breaches are the result of highly-sophisticated ‘hacks’ that exploit zero-day vulnerabilities or sneaky social engineering.  Some data breaches simply rely upon a pitiful lack of security that can only be described as imbecilic.

This week we discovered that nearly 200 million registered US voters have had their sensitive personal details accidentally exposed online.

UpGuard researcher Chris Vickery discovered that a contractor employed by the Republican National Committee (RNC) had carelessly left databases containing information on a staggering 198 million potential voters exposed to the internet – meaning anyone who knew where to look could download it without entering any passwords.

Yes, that’s right.  No password required.

When corporations are being this careless with the data they have been entrusted, why should hackers feel they need to devise sophisticated information-stealing malware and remote access Trojans, or devise convincing email scams that might phish login credentials from the unwary?

For a hacker to access the 1.1 terabytes of data containing voters’ dates of birth, home addresses, telephone numbers and political views all they needed was the URL for the publicly accessible Amazon cloud server where marketing firm Deep Root Analytics had stored its spreadsheets.

Alex Lundry, founder of Deep Root Analytics, told Gizmodo that following the revelation of the security screw-up, steps had been taken to secure the data:

“We take full responsibility for this situation. Based on the information we have gathered thus far, we do not believe that our systems have been hacked.”

“Since this event has come to our attention, we have updated the access settings and put protocols in place to prevent further access.”

Well, it’s good that the data is no longer publicly accessible – but we don’t know how long it was available to anyone on the internet, and we simply do not know if a malicious party might have accessed the data.

And no-one would be prepared to bet against other organisations having made similar foul-ups, exposing personal information or corporate secrets through the sheer carelessness of not putting any security in place at all.

For its part, the Republican National Committee says that it has stopped working with Deep Root Analytics, “pending the conclusion of their investigation into security procedures.”

It’s very simple.

If you are careless with the personal data of individuals you are putting those individuals at risk.  They may not, as in this case, have ever had an opportunity to choose whether to trust you or not – you had simply acquired their data and failed to properly defend its privacy.

Furthermore, if your company suffers a data loss because of its sheer incompetence then you are unlikely to impress your existing or potential future clients, who will be nervous of having their reputation dragged through the mud by association.

Finally, although it’s hard to say that any company can guarantee it will never suffer some time of security breach, it’s clear that numb-skulled behaviour like leaving terabytes of sensitive data accessible on the internet with no requirements for a password will be bad for your enterprise’s business too.

Many companies have been hacked, but if you care so little about security inside your business that breaches like this can happen, then maybe you deserve to lose your clients and not put other innocent parties at risk in future.