Just after Facebook lost 500M user profiles to the public Internet, it’s LinkedIn’s turn a week later. Wherever data is collected, data is subject to breach or theft.
Like the Facebook incident earlier this week, the information — including user profile IDs, email addresses and other PII — was scraped from the social-media platform.
From the article
via threatpost.com
Again, it’s Facebook, that made news with a data breach. TechCrunch reported first about midnight Euroean time, but it’s all over the news by today, noon. It’s time to realize social media is a mistake.
Earlier this week, it became public that Capital One was victim to a privacy leak, affecting more than 100 million of their customers. News revealed details about the source of the attack, that apparently an individual conducted and bragged about it publicly.
Now, a few days later and more facts known, the always excellent Krebs on Security blog offers some lessons learned from the incident. It has good statements from Netflix, CloudFlare, DisruptOS and AWS personnel, including citations about the involvement of IAM, EC2 and WAF. In particular, it points out mitigations that AWS recommends in response to Server Side Request Forgery (SSRF).
Interesting is the conclusion that Rich Mogull comes to, that the industry is facing a major gap in skills, related to this kind of cloud security. Basic skill and availability thereof has always been a major gap in the entire industry. Only with the arrival of cloud it becomes more sparse. Mostly, because corporations maintain both their existing data centers and new cloud infrastructure, leaving out on the opportunity to become more secure in the cloud.
Why Data Breaches Don’t Hurt Stock Prices.
In short: because there is no reliable metric to make the impact transparent to shareholders and customers.