Wednesday, June 15, 2011
Despite many obvious reasons for ensuring both technical and organisational security measures within a company, many companies (don't be surprised) are yet to implement these.
Unrestricted access to server rooms (for purposes which will set you on the floor laughing, but sadly true), sharing of passwords between colleagues, unlocked cabinets, messy desks with confidential information displayed for all eyes, non-secure company websites collecting personal data, and so on. If you're nodding to all these as you read, then you've got a company who is in breach of the Data Protection Law.
Now, last week on the
news, Sony Pictures was humiliated when hacking group LulzSec claimed it had accessed
unencrypted personal data of SonyPictures.com and Sony BMG's Websites in Belgium and the Netherlands. According to the group, getting the information was not that complex - gaining access to SonyPictures.com with a single SQL injection.
"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it," they claimed.
"This is disgraceful and insecure: they were asking for it."
According to Beth Givens, director of
Privacy Rights Clearinghouse, the attacks on Sony would seem to indicate lax practices on Sony's part. "These repeated Sony attacks are an object lesson for all companies," she said. "Sony has reported that it uses industry standards for security. If that's true, then perhaps it is time to re-evaluate and even go beyond such standards." (Read more:
cnetNews)
It is clearly another lesson to be learnt. But, are companies learning or ignoring this important legal and moral duty to its customers? How many companies will take the appropriate security measures now, or will it depend on the budget and short term profit?