One simple trick to make it easier to determine the source is to embed a couple of sentinel records into your DB. That way if it does get leaked you are sure that you were the source and if another party is the source you will know this because your sentinels will not be present. This helps to strengthen the claim that the data was not leaked through your company (it is not a guarantee, after all it could be an inside job with the sentinels stripped but the chances are somewhat reduced).
But don't companies need to collect and retain data to operate their businesses? Like they need your info to bill you, they need info to login to your account, your emails stored if you use their included email, etc.
Yes, but they don't need to leave it on the porch for anyone to pick up.
We hold the details of over 100M consumers, many of them children. This comprises stuff like their login, order history, etc. We take this shit seriously, keep what's needed only, pentest daily, ids, wargames, strict infosec policy - and when clowns like TW manage shit like this we all get tarred with the same brush.
Since the talk-talk hack we have had clients panicking at least twice a week over shit they read in the Newspapers.
Black Friday when all the ecommerce sites melt is similar - mass panic, at us - even though we've had 100% uptime since may last, and five nines over the year - and have never had any breach of any variety.
There should be steep criminal penalties in place for the officers of a company who allow this to happen. Jail. Business-ending fines.
US isn't even threatening VW officers of jail time (They've recently announced that it will be a civil lawsuit, not penal). US isn't even threatening HSBC officers of jail time, after 30 years of so-called "war on drugs"...
Data can be deleted when it's no longer needed. Sale of data can be forbidden. Old data can be encrypted by the customer's public key so only the customer can initiate access. There are many ways to roll back the madness.
So... give up? Solve that problem through better products or education. The general public needs counterprogramming against the government's idea of encryption.
a "public key" can also just be a secret. "Apple toothpaste monkey piano" is something someone can write down for recovery. they don't need to know; they just need to remember where they put it (which might be a stretch, yes, but it's better than storing things in plain text)
+1. The data collection greed of corporations and the accompanying utter loss of control for the hapless consumer who is forced to provide said data is very saddening to see. Unfortunately, consumers in this country seem to not give a whit about the immense loss of control they are willingly undergoing. Witness the EFF/T-Mobile Twitter thread as an example where (seemingly few so far) people are agreeing with the TMob CEO and abusing EFF.
1. technologically competent (PCI compliant and more)
2. That company can keep that information along with other financial data.
3. That vendor's code and hardware infrastructure is being periodically audited by a third (independent ) party and expert. Or open sourced! Both hardware and software.
3 is crucial to maintain the operating integrity of the company.
Assuming the source of the credentials (malware, other breaches, etc) is correct, 320k isn't outlandish by any means.
My Twitter bot, @dumpmon, comes across thousands of leaked creds per day, and that's only on pastebin.
This, combined with "checker" services that can verify credentials to services like TWC make things like leaked credentials be correlated into "from these x unique dumps, we have a group of creds that all work with TWC as well".
My guess is that TWC was alerted to a file someone was trying to sell that took leaks from other public/private dumps or malware infections, checked them against TWC, and verified that they all happened to work. This would be why TWC wouldn't be able to pin down an exact source - there absolutely doesn't have to be just one source.
Solid analysis, your guess makes a lot of sense IMO. I suspect that these kinds of "breaches" take place far more often than is reported -- I think until people are better educated about the importance of using unique passwords for their individual online accounts, it's an uphill battle.
Poor Time Warner, the little innocent lambs! I hope the responsible executives get a big raise and bonus to help make up for the emotional distress this must be causing them.
Meh not really. If there were real repercussions to fucking up lives because you leaked their private data that would be one thing. Zero sympathy for the company as a whole.
> The company said email and password details were likely gathered either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored Time Warner Cable's customer information, including email addresses.
If the data was stolen through malware then this isn't TWC's fault. People just need more education on how to secure their computers.
Most people in the US have no idea where there information is these days. Any start ups developing software that can monitor server connections and use ML to detect unauthorized or unusual connections?
Products range from anti-scraping (Distil) to intrusion prevention (Juniper et al) to traffic-shaping filters (Juniper et al) to content redirection (Netscaler) and beyond.
This is true. They are already collecting all your data in one place so it'll be easier on China or whoever gets your data next. The government is on it guys. No worries.
They don't pay for it. That's why they're "criminals". As opposed to the ones that buy it.
Either way, your privacy is dead, unless you can find a way to not have your home address on your account. I use a UPS box for everything... Except home utilities and Internet / cable.
The article just states it, and when a company does that I assume they are just full of hot air.
If you have a better primary source I would be interested in seeing what form the breach was in, because I assume that would make it a lot more clear what the scope of the problem is.
"In a statement provided to NBC News, the cable giant said "there are no indications that TWC's systems were breached," and suggested the mails may have been acquired earlier by other means, such as malware, phishing attacks on subscribers or security breaches at companies that stored TWC customer information."
So seems like it was just phishing and malware to the unlucky ones.
hmm wonder what they mean by that though. Companies they contracted with directly or for example maybe someone signed up for a forum or another large website using their same email and password as TWC email?
It seems, US legislation on customer data protection needs an upgrade and proper enforcement of ISO 27001 adoption across companies dealing with private personal data. The cheaper alternative exists. To prohibit completely storage of personal data, and only accept transactions with anonymous cryptocurrency.
I expect upping the sentence for accessing an "unauthorized system" to a top-level 40-year felony and everyone congratulating each other with a "well that should take care of it!" job well done.
Probably in the same bill, I would expect amnesty for management in exchange for whistleblowing on software engineers that did not follow "best practices".
And finally, perhaps some pamphlets with "tips" to "teach the public" what they can do to better protect their privacy ... none of which will involve not giving your information to large corporations.
Don't forget that they'll bundle it with a law that prohibits kicking puppies... so that if you point out the flaws or say it won't work, they can shoot you down as a naysaying puppy kicking sicko.
Aww crap. I wonder if this applies to former customers / how far back. We were Time Warner until about 2005 when Comcast took over our area. Our service actually significantly improved under Comcast.
