It's 2016 and instead of feeling more secure, the industry is facing an epidemic. Hacking has moved from glory seekers to ominous business plans on a trajectory to an apocalypse.
The LinkedIn situation brings a number of questions to light; are companies capable of protecting personal data, are cybersecurity forensics science or art, do end-users have a claim to future harm given it took four years for this theft to surface and reignite personal risks?
The big losers are always end-users who entrust their data to companies big and small that continue to prove they can't protect the information they have collected. LinkedIn is only the recent headline punching bag. Others have left an indelible mark including Adobe (152 million records), Ashley Madison (30 million), Mate1.com (27 million), and the United States Office of Personnel Management (21 million).
Hackers, meanwhile, continue to abuse and replay stolen credentials and passwords to attack victims who use the same password over and over again across their accounts. The most popular password in the LinkedIn lot was "123456".
The news about personally identifiable information (PII) and passwords is that crooks are coming in the back door and hauling out truckloads of information from databases and repositories that appear to have security configurations designed as part of some fraternity dare. Name, account numbers, passwords, email addresses are all PII, and nearly every company or organization collects and stores this data.
Now, we have episodes like the LinkedIn breach where 117 million end-user records containing passwords (out of 164 million pilfered) appear on the dark web four years after being stolen in a breach the company first said was a loss of 6.5 million credentials.
This realization begs a question. What's going on under the hack covers of all those other companies who don't yet know they've been hacked? What's missing? What's at risk?
Security advances, including popular trends around authentication and encryption, clearly are aiming to offer greater protections. Time, innovation, political deals and court rulings will tell if these efforts can change the current story line.
We need to figure out how we store less data protected by better security. Innovators and vendors need to work like heroes to combat these problems; end-users need to cleanup their act and ditch the crappy passwords for better authentication; security needs to finally trump convenience, courts and regulatory bodies need to establish precedents for punishing sloppy cybersecurity; and we need to be vigilant Internet citizens that care about who has our data, and if they can protect it adequately.