Industry pros react to AdultFriendFinder data breach

Following today's news that dating website AdultFriendFinder has become the latest victim of a large-scale data breach - with as many as 419 million accounts stolen - various industry professionals have provided their reactions and analysis.

Peter Martin, MD at RelianceACSN:

"This breach on AdultFriendFinder is the second in as many years which raises serious alarm bells. It’s clear the company has majorly flawed security postures, and given the sensitivity of the data the company holds this cannot be tolerated. 

"There is a worrying trend where organisations believe that a cyber breach is inevitable – and this isn’t right. The only way to shore up defences is by getting the basics right, from implementing the correct procedures, managing critical assets through a proactive and integrated approach.

"It doesn’t matter what industry you are in. Company directors and managers are legally accountable for people's personal data. Businesses needs to professionalise their operations data security. To do this they’ll need trained experts and engineers, not well meaning but overworked internal staff doing their best. That approach is no longer good enough. Until organisations have got the basics right we’ll continue to see breaches like this happening on a daily basis."

David Kennerley, director of threat research at Webroot:

“This is attack on AdultFriendFinder is extremely similar to the breach it suffered last year. It appears to not only have been discovered once the stolen details were leaked online, but even details of users who believed they deleted their accounts have been stolen again. It’s clear that the organisation has failed to learn from its past mistakes and the result is 412 million victims that will be prime targets for blackmail, phishing attacks and other cyber fraud.

"All companies, especially those dealing with sensitive customer data – must balance their security resources against their risk tolerance, and look at threat intelligence solutions that provide them with the greatest scope of protection.

“It goes without saying that systems, software and processes should be regularly reviewed, and previously accepted risk levels may no longer suffice.  For the consumer, unfortunately you need to consider whether you’re ultimately happy with anything you post online being made public, as everyday there seems to be news of another breach.”

Justine Cross, Regional Director at Watchful Software:

“The public has long since run out of patience for companies that fail to protect their data, and the Friendfinder Network is just the latest example proving that businesses must take a new stance to keep information in their care safe.

"While companies obviously need to harden their defences against intrusion as much as possible, they must also prepare their data for the event of a successful attack. All data pertaining to customers should be automatically classified and encrypted the moment it is created, ensuring that only authorised users can open it. With this in place, even if data is stolen it will be much more difficult for criminals to make use of it.

"Aside from the inevitable legal and reputational backlash, it’s also worth noting that the Friendfinder Network breach would certainly be subject to the upcoming EU GDPR and the huge potential fines it can levy.”

Ilia Kolochenko, CEO of High-Tech Bridge:

“As per information currently available around the breach, it’s quite probable that a vulnerable web application was used to steal the data.With this breach of 400 million accounts we should expect a domino effect of smaller data breaches with password reuse and spear-phishing. 

"Some large companies, handling and processing personal data, still fail to respect and even intentionally neglect the basics of information security. Despite numerous reports on increasing cybersecurity spending during the last few years, many companies do spend more, but aren’t becoming more secure. A holistic risk assessment, comprehensive asset inventory and continuous security monitoring are often omitted, even though they are probably the most important parts of information security strategy and management. 

"GDPR enforcement will probably help to minimise this type of incident in the future, however it will take some time. Users should keep in mind that everything they post or share online may become public one day. Keep this in mind and it will prevent many bad things from happening online.”