Recently, it was AA Traveller’s turn to reveal a huge hack that stole the details of potentially hundreds of thousands of kiwis. This reportedly included unencrypted passwords.
But they’re not alone – so how do we protect our passwords and why does it matter?
What happened to AA Traveller?
While we don’t want to pick on AA Traveller specifically, given this is a really widespread issue, it is a good example of what can go wrong if we don’t all do our bit to protect passwords.
In this case, the hack was to an old website that was still up but no longer being used – the AA Traveller site in-use from 2003 until 2018. They discovered the breach in March this year but figured out the data had been stolen in August last year.
The breach amounted to hundreds of thousands of kiwis and included personal details, email addresses and passwords. And the resultant fallout is an excellent example of why companies need to do better – they’ve taken a reputational hit and potentially put their users at risk.
So, what went wrong?
Interestingly, these days you almost have to assume that a password you enter online will be compromised at some stage. If even the big players like Dropbox and Microsoft can’t stop hackers, smaller players really don’t stand a chance.
This is exactly why companies who hold personal details and passwords need to do more to protect them. In the first instance, passwords shouldn’t be stored in a way that makes them easily uncovered. At a minimum, the password should be scrambled (or “encrypted”) in a secure manner so if a hacker manages to get access to the database, they still can’t get the passwords.
Using a “salted hash” to store passwords has been quite popular, where every password is encrypted (or “hashed”) using different random characters (called a “salt”). However, these days that’s not even enough. For those reading with a technical mindset, this article explains why.
Just as important, however, is a good data retention policy. Or to put it another way, companies shouldn’t be hanging onto your data if they don’t need it anymore. So, this data really should have been destroyed back in 2018.
But as I say, this isn’t about AA Traveller – it’s a widespread issue.
If you’re a company storing customer details
If your company stores details about your customers, especially passwords and other sensitive things like ID details or credit card details, you have to absolutely make sure you’re doing it right.
AA Traveller did the right thing when they found out what had happened – they got in the experts, were open with their customers, admitted they got it wrong, apologised, and took steps to make sure it will never happen again.
However, their reputation still took a hammering, and you don’t want that to be you.
You need to get the experts in before this happens to review what you’re doing with information, your overall architecture, and the steps you’re taking to protect data. Some of this comes down to strategy, and some of it comes down to implementation.
We can help make that happen – drop us a note to get started.
How to protect yourself
Companies do need to do better, but the reality is that we all need to do more to protect ourselves as well.
You might ask why it matters if a hacker gets your email and a password you used on an old travel website a few years ago. It’s not like they can book travel anymore.
The problem is that too many of us use the same passwords on different websites. The hackers get it from that site, and then use that combination on lots of other sites to get in. Maybe it’s a site with your credit card saved, or worse.
Interestingly, one massive hack at Dropbox came about because a Dropbox engineer used the same password on his work account as he’d use for social network LinkedIn. Hackers had previously hacked LinkedIn and found that person’s password, and the rest is history. If it can happen to a senior engineer, it can happen to you!
But there is an easy way to protect yourself and limit the damage.
First things first, don’t use the same password on multiple sites. I’m sure you’ve heard that advice before. If one site is hacked, you don’t want them getting your password to other websites as well.
That might sound easier said than done, but fortunately, there’s good tech that will help with this and make it easy. The key is to use a password manager like LastPass or 1Password to create a unique password for every website you visit. There’s a free version, or a few dollars a month will give premium protection.
Also, where possible, set up a thing called two-factor authentication. All of the banks use this now, and increasingly more and more other sites do too. It won’t be long until it’s mandatory on most sites – passwords simply aren’t enough on their own these days.
2FA (as it’s called) means that instead of just relying on a password, you need to confirm you’re you by some other means as well. For example, the site will send you a text message with a random number you have to type in to show that it’s really you (as it’s unlikely a hacker will have your telephone). So if a hacker does get your password, it’s not enough.
It might seem like a bit of a pain, but if the option’s there, use it! You’ll be happy about it later.
Another thing to watch is any website that emails you your password or shows it on screen. Once they’ve scrambled your password, even they shouldn’t be able to unscramble it. If they can tell you what it is, they’re likely storing it in plain text which is a hacker’s dream.
This doesn’t occur so much anymore but does still happen. And lastly, there’s a website called haveibeenpwned.com that will tell you if your email address was in any of the really big recent hacks. If you want a fright, pop over to that site and take a look.
In summary, we all need to do better to protect passwords and other sensitive info. If you’re a company, you will likely get hacked sooner or later – that’s just the reality. You need to take these precautions now and make sure someone who knows what they’re doing is advising. If you’re a user, take steps to protect yourself.
You may never know that it saved your bacon, but you’ll certainly know if you don’t.
Paul Matthews is the chief executive of CIO Studio. Click here to talk to the team about how we can help your company do it right.
Get industry updates, tech news, and CIO Studio blogs free to your inbox!
