Advertisement

Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

Genealogy sites have faced increased scrutiny in the last couple months, after authorities identified alleged Golden State Killer Joseph James DeAngelo through DNA data uploaded to genealogy database GEDmatch. Additionally, personal data privacy has become a hot topic following Facebook’s Cambridge Analytica scandal, and the implementation of the European Union’s General Data Protection Regulation (GDPR), which went into effect on May 25.

The GDPR contains new rules and regulations regarding websites’ use of users’ personal, identifiable data, giving users more control over their data and imposing heavy fines on companies that don’t comply. If you’ve been on the internet at all in the last couple weeks following the aforementioned compliance deadline, you’ve most likely seen about a dozen or more pop ups notifying you of changes to websites’ privacy policies or asking you to accept or block cookies that will record information as you peruse the site.

Now, nearly 92.3 million users of the genealogy site MyHeritage will be receiving an additional notice—that their email address was one of those leaked following a breach on October 26, 2017. MyHeritage announced the breach, which involved email addresses and hashed passwords, in a blog post just hours after a security researcher informed them of the leaked data on June 4. They later indicated they would be notifying each affected individual by email. As one of the first companies to announce a breach under GDPR requirements, MyHeritage may become an example for complying with Articles 33-35 of the regulation.

“Pre-GDPR there were no regulations to how and when should a business disclose that they suffered a data breach,” explained Ferruh Mavituna, CEO of web application security company Netsparker. “In fact, we’ve seen a lot of cases in which businesses didn’t even tell their users that there was a data breach.”

Examples of such breaches that come to mind are the 2014 Yahoo breach that affected over 500 million accounts, but wasn’t disclosed until two years later, and the 2016 Uber breach, which affected about 57 million accounts and which the company is accused of intentionally covering up for close to a year.  

Now, with the GDPR regulations applying to any company that stores the data of EU citizens, major companies have the obligation to disclose personal data breaches to supervising authorities within 72 hours, and to affected users “without undue delay.”

In the case of MyHeritage, the time between when the security researcher first notified them that the data had been found on an outside private server and the time when they published the first announcement was just eight hours, according to the company. In addition to disclosing the breach promptly, the company announced additional steps they would take in their response to the incident.

“I think so far MyHeritage are handling this breach very well; they have been transparent about the breach, they have set up an Information Security Incident Response Team to investigate the data breach and within just a few days they have implemented two-factor authentication and are encouraging their users to set it up,” Mavituna said.

Back in April, Netsparker released the results of a survey of 302 C-level executives regarding GDPR compliance ahead of the compliance deadline. In one of the questions, the executives were asked whether they thought the regulations would compel or repel companies from disclosing breaches, and the responses were split nearly 50/50. In all, 53.6 percent said businesses would no longer hide breaches and 54.3 percent said the regulations would make businesses more hesitant to report breaches, for fear of the penalties of failing to protect users’ data (respondents could choose both options). Additionally, 25.5 percent of respondents said they didn’t think anything would change.

MyHeritage opted for compliance and transparency, addressing the leak promptly and also setting up 24-hour support for concerned customers to reach out post-breach. The company indicated that email addresses and hashed passwords were the only data leaked and that they had no evidence that any accounts were compromised. They also noted that more sensitive data, such as payment information, family trees and DNA data, were stored separately and were unaffected. The company’s first blog post explained that the one-way hashed passwords involved a different hash key for each user, meaning that someone with access to the hashed password would not have the actual password. But this is the one area where Mavituna found fault in the company’s initial response.

“This does not mean that an attacker cannot access passwords—attackers will still be able to crack weak passwords with brute force attacks. So, users should change their passwords immediately,” he said. “The only disappointment is that they downplayed the importance of the password change in their initial announcement.”

However, MyHeritage has since announced that they will be expiring the passwords of all 92.3 million affected users, as well as an additional 4 million users who signed up after October 26, 2017, forcing users to choose new passwords to ensure their accounts are secure. Should this all go according to plan, MyHeritage users will hopefully not have to worry about the creepy consequences of their actual genetic information being stolen, a possibility contemplated in an article on The Verge two days after the breach was announced.

Going forward, it seems inevitable that more companies will soon be in the same position as MyHeritage was this week, responding to a cybersecurity incident with the new EU regulations in mind. Netsparker’s survey also asked respondents whether they thought the GDPR might make web applications safer: only 2 percent said they did not think businesses would do more to secure their applications after GDPR, with 67.5 percent saying it would make businesses more diligent about changing and updating systems and 64.9 percent predicting companies would invest more in their security.

“The GDPR do not provide any technical guidelines that businesses can refer to so they can build more security systems, such as PCI DSS. Though because of GDPR and its focus on privacy, businesses are reviewing their systems and procedures to comply with GDPR and automatically building more secure networks and operations,” Mavituna said. “So GDPR does promote more secure systems in an indirect way, which will hopefully result in more secure systems and less data breaches and similar incidents.”

Advertisement
Advertisement