In yet another case of hackers worming their way into yet another company’s database, the group chat tool Slack admitted last Friday that they too have fallen victim.
The company said that they detected a breach of its central database potentially exposing over 500,000 user’s profile information, email addresses, phone numbers and even Skype IDs. The company also stated that the data had been encrypted using a hashing technique and they didn’t believe anyone’s data was actually compromised.
The company also announced that they were implementing a two-factor authentication feature and encourages all their users to enable it. They’ve also released a group password kill-switch that enables administrators to reset passwords for an entire team.
This is a prime example of the kinds of things President Obama’s new cyber-crime department should be paying attention to.
Now I don’t think the government is actually capable of preventing attacks like this in the future, but I do think they can influence the ways that companies implement security measures like encryption, require quick reporting of any breaches and ultimately take financial responsibility for any damages caused by hackers.
It should be standard policy (if not law) that any company or organization that collects data like names, addresses (both physical and email), phone numbers, credit card numbers or any personal information, are required to implement some sort of encryption.
Companies and organizations should also be required to report any breaches within a few days and contact anyone whose data was potentially compromised within a week if not sooner.
Next, if a company’s data is breached and user’s personal information is compromised the company should be held accountable for any and all losses.
Finally, if a company fails to implement these procedures their officers could be held accountable in court.
Now these measures would certainly ruffle a lot of feathers. Most companies would whine about the costs of implementing even a rudimentary form of encryption, they don’t want to announce that they’ve been hacked, they certainly wouldn’t want to be held financially responsible if they leak tens of thousands of user’s credit card numbers and obviously no CTO or CEO wants to be dragged into court if they don’t follow these rules.
However, companies are reluctant to spend the money or devote resources to protecting their user’s data and will only implement these changes if they are forced to.
Companies are going to be hacked – there is no getting around that, but companies should be held accountable for any breaches and protecting users should not be an option. If you want to collect personal data as part of your business operations then you have an obligation to protect that data.