Only a few days after the Marriott International data breach and consumers are waking up to headlines of another hack; this time Quora.com. Personal details, including passwords, full names and email addresses, for over a 100 million people have been exposed - an absolute gold mine for hackers.
Robin Tombs, Co-Founder and CEO of Yoti, believes the latest breach shows us passwords are no longer fit for purpose - they can easily fall into the wrong hands and put precious data at risk.
Here he highlights the five lessons that have been learnt from the Quora breach and explains the only way for individuals to take control of their own data is to use verified digital identities to share their details with businesses.
Lesson 1: Secure accounts with biometrics instead of passwords
As shown from this latest breach, passwords can easily be exposed and fall into the wrong hands.
Hackers can then use those passwords to gain access to other accounts as many people reuse the same password across multiple sites.
This isn’t surprising given the average person has 191 passwords.
Companies should no longer be relying on usernames and passwords alone to secure accounts. Instead they should offer more secure solutions, for example giving individuals the chance to log in using their biometrics, such as a fingerprint or selfie.
Biometrics are unique to each person, making them more secure then PINs and passwords. Not only do they give us greater protection of our online accounts and personal information, but they’re also more convenient as we no longer have to remember different login details.
In the wake of so many data breaches, companies are looking for an alternative to passwords in a bid to make customers’ lives easier and speed up the authentication process, all while ensuring customer data stays safe.
Lesson 2: Use verified digital identities to share information
In many data breaches, including the Quora one, names, email addresses and passwords were exposed.
It is very easy for a hacker to use this personal information obtained from a data breach, and pretend to be another person to access online accounts and sign up to websites.
One way to combat this is to let individuals use a digital identity to share their verified details.
For example, a digital identity on an individual’s phone, secured with their biometrics, gives them more control over their data. Their biometrics are unique to them, so only they can access and share their verified details with a business.
This also gives the business confidence that the right person is sharing their information.
Lesson 3: Be transparent
It is crucial that companies inform consumers as soon as they know about a breach so individuals can take steps to minimise any potential damage - for instance changing their passwords and monitoring bank statements for unusual activity.
Companies need to be transparent with details of the breach - how it happened, who is affected - including what data is compromised - and what steps they are taking now.
Some of the bigger high profile data breaches in the past few years were not disclosed until months, or in some cases years after they initially happened.
On Quora’s public posting (https://blog.quora.com/Quora-Security-Update), they have not given timelines and dates about how long ago the hackers gained access, or how they noticed that the compromise happened. These are things that could be made known.
We have to trust companies will keep our data safe but when this does not happen, they need to be transparent about what has happened and why.
Lesson 4: Only ask for the necessary details
Companies should only ask for the necessary information they need from individuals - this helps to strike a balance between confidentiality whilst giving companies the details they need.
It minimises the amount of information potentially exposed in a data breach - helping to protect individuals against the ever-growing threat of identity fraud.
Lesson 5: Keep track of your online accounts
Many people were surprised to get an email from Quora about the breach, having forgotten they even had a Quora account.
It is important we try and keep track of our online accounts and delete any we no longer use - especially if we have reused the same passwords across multiple sites.
A password manager which securely stores login details for your online accounts is a good way to keep track of the different websites you have signed up for.
Ideally a password manager would not be secured with a master password - if someone cracks that password they would then have access to all of your login details. Instead it should be secured with your biometrics - these are unique to you so only you, and you alone can access your passwords.
Robin Tombs, Co-Founder and CEO, Yoti
Image Credit: Zapp2Photo / Shutterstock