Weak passwords and lack of authentication: the root of security breaches

After the recent security breach that hit professional social networking site LinkedIn, social media companies are scrambling to patch over their poor security practices. Wait too long to address known security holes, and CIOs should worry about seeing their companies targeted, hacked and eventually vilified in the press.

The list of major breaches gets longer every day: LinkedIn, eHarmony and Last.fm are just the recent ones. Add to that list the Department of Defense, TJX, Sony, Heartland Payment Systems, Emory Healthcare, Global Payments … well, you see where this is going.

Damaging data breaches are the norm in 2012, not the exception.

According to the Identity Theft Resource Center, there were 189 known breaches from Jan. 1 of this year through the beginning of June. Those breaches have exposed approximately 13.7 million records.

Why LinkedIn Is Different (and Why It’s Not)

The nature of the data involved helps explain why the LinkedIn breach has gotten so much attention. “LinkedIn’s data is of much higher quality than other sites,” says Paul Kocher, president and chief scientist at Cryptography Research, Inc. (CRI). “There is just so much information about who people really are and what is important to them.”

With high-quality information, attackers can launch much more sophisticated and targeted attacks.

But in other respects, the attack isn’t out of the norm. “People are shocked by LinkedIn’s poor security practices, but this is widespread,” Kocher noted. “Plenty of organizations are far worse off than LinkedIn. It’s easy to start fixing security when you’re motivated by a breach, but until then, many organizations hope for the best.”