Tumblr data breach: Industry reaction

Following the news that 65 million Tumblr accounts have been put up for sale on the Dark Web as a result of a years-old data breach, various industry professionals have offered their thoughts and analysis.

Eduard Meelhuysen, VP EMEA at Netskope:

“With Tumblr recently revealing that a previously undiscovered 2013 data breach affected users, while simultaneously refusing to reveal the scale of this hack, the issue of mandatory data breach reporting is firmly back in the limelight. Since the European Union General Data Protection Regulation (GDPR) came into effect last week, businesses have just two years to change data privacy policies in order to ensure compliance and get to grips with reporting data breaches in a timely manner.

“Often organisations wait to inform customers of a breach, yet under the GDPR, companies will be required to notify national data protection authorities of a serious data breach within 72 hours. In certain cases, businesses will also be required to notify affected individuals so they can take necessary precautions and remain vigilant to cyber criminals making use of their compromised data. Many businesses may initially struggle to comply with such strict measures, but the Tumblr case has demonstrated the importance of identifying and reporting not just the breach itself but also the data most likely to have been affected, as quickly as possible.

“In the end, an independent analysis of the data has revealed that 65 million Tumblr users were victims of the 2013 data breach. As more data is stored off-premises, it is vital that organisations take steps to secure data wherever it may be – especially in cloud apps – remaining vigilant to unusual user behaviour and ensuring the correct security controls are in place.”

Matt Middleton-Leal, regional director, UK & Ireland at CyberArk:

“Personally identifiable information is a high value commodity for hackers; anything that helps to build a complete picture of a person can be far more valuable than credit card numbers. So the ability for hackers to use the leaked emails to tease out more information about individuals via phishing techniques is the concern, as other areas of their digital lives may then be at risk. Many of our online account passwords are the same or similar, so learning which one opens up other doors will be their chosen tactic.

"For organisations, their legal ability to ‘sit on’ historical mega breaches is set to disappear under the new EU General Data Protection Regulation. This means the onus is on them to enforce best practice so, if or when they are breached, data lost or compromised is able to be contained. Real-time monitoring and analysis of user behaviour that gives firms a fighting chance of spotting an attacker when there is an infiltration attempt is what’s needed.”

Jacob Ginsberg, Senior Director, Echoworx:

“Unfortunately, this yet again demonstrates that “good enough” is not good enough when it comes to security. Data persists, so even if you’ve taken steps to protect that information, hackers may have the tools to negate these defences six months, one year or three years down the line.

If you do the bare minimum now, this won’t do you any good in six months’ time. Using strong encryption, hashing and salting passwords - these should be prerequisites for organisations handling account information.”

Lisa Baergen, Director at NuData Security:

“I sound like a broken record; but here we are again. Just as consumers start to feel secure, news of yet another breach hits the wire. Although usernames and passwords can be changed, victims of a breach need to understand that every bit of information exposed is important and may sit dormant for some time. These credentials are likely sold in packages on the dark web and compiled out of solid profiles of your online identity. Fraudsters are learning that information stolen from various breaches can create more comprehensive 'identity bundles' which sell for a higher value to hackers. With more complete information, more fraud can take place.

Fortunately, there are methods that online providers can take to help keep us consumers safe, while giving true insight into who sits behind the device - and trust it is not the hacker using our identity information online.

User behaviour analytics can provide victims of this and other breaches with an extra layer of protection even after the hack has occurred. Without even interrupting a user's experience, fraud can be predicted and prevented from occurring. The only way to achieve this is by truly being able to identify the identity of the user behind the device.

So, good luck hackers - you can keep stealing our data, but we are going to make this data invaluable to you, and you can’t steal my behaviours!"

David Emm, Principal Security Researcher at Kaspersky Lab:

“Customers that entrust their private information to an online provider should be able to rest safely in the knowledge that it is kept in a secure manner; and all companies that handle private data have a duty to secure it properly. It’s good to see that the passwords in this case were hashed and salted; and good also to see Tumblr advising those affected to change their passwords as a precaution. We know that many people use the same password across multiple online accounts, so it’s important that those affected take steps to change their password for other online accounts where they have used the same password.

"Yahoo has said that this hack predates its acquisition of Tumblr, with the company advising that it’s only recently found out about it. Nevertheless, three years is a long time for personal details (e-mail addresses, in this case) to have been exposed. This is a good illustration of the positive impact that will accompany the new EU GDPR (General Data Protection Regulation) – specifically, enforcement of breach notification. After all, one might question the value of closing the stable door three years after the horse bolted.

Whilst security solutions significantly mitigate the risk of a successful attack, there are also other measures businesses can take in order to provide thorough protection. These include running fully updated software, performing regular security audits on website code and running penetration tests on corporate infrastructure. It’s also vital that companies implement an education programme, to raise security awareness among employees.

"The best way for organisations to combat cyber-attacks is at the beginning; by having an effective cyber-security strategy in place before the company becomes a target.”

Image source: Shutterstock/wk1003mike