Scam of the day – September 21, 2015 – Dangerous new development in Ashley Madison hacking

By now everyone is aware of the major data breach at the Ashley Madison, the dating site for married people seeking to have an affair, in August the hackers followed through with their threat and released 9.7 gigabytes of the stolen data including email addresses, credit card transaction details, partial credit card numbers, addresses and even dating profiles.  Now a new and potentially dangerous development has been uncovered by the hacking group known as CynoSure Prime which discovered vulnerabilities in the password security algorithms used by Ashley Madison that put the passwords of 11.7 million users of Ashley Madison in danger of being hacked.  Ashley Madison switched over to a secure encryption program for protecting passwords in 2012, however, anyone who used Ashley Madison prior to June 14, 2012 continued to have their passwords protected by the weaker and more hackable security program used at that time.  Particularly, because many people use the same password for all of their accounts including online banking, those early users of Ashley Madison are in extreme danger of identity theft by hackers who can readily discover their passwords and use them to gain access to the online accounts of the early Ashley Madison users.

TIPS

The lesson here for early users of Ashley Madison is to change their passwords to all of their accounts as soon as possible.  The lesson to the rest of us is to remember that you should always have a distinct and unique password for each of your online accounts.  It should be a complex password so that it cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.

Scam of the day – September 7, 2015 – Sony settles lawsuit with former employees over data breach

In the wake of the major data breach at Sony Pictures Entertainment last year in which sensitive personal information including Social Security numbers and health data on thousands of present and former employees, nine former employees affected by the data breach sued Sony alleging that it was negligent in failing to protect their personal information.  I first reported to you about this lawsuit, Corona et al v. Sony Pictures Entertainment in my Scam of the day for March 13, 2015.  Now a settlement agreement has been reached between the plaintiffs and Sony that has been submitted to the federal court for approval.  Terms of the settlement have not been disclosed.

The hacking of Sony should be a wake-up call to all companies.  Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions.  The list of Sony’s failings are many.  Data banks were not properly segregated.  The company was particularly susceptible to phishing attacks.  It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information.  These are just a few of Sony’s failings.

TIPS

There is little that we as consumers and employees of companies that hold our personal information can do to protect ourselves from data breaches other than to inquire of these companies as to what steps they take to protect the personal information that they hold and to refrain from doing business with companies that do not provide a satisfactory answer.  Additionally, we should try to limit as much as possible the personal information that we provide to such companies.  For instance, your medical care providers do not need your Social Security number although most medical care providers routinely ask for it.  The Sony lawsuit was the first of a recent number of lawsuits against companies such as Sony and Ashley Madison that have suffered data breaches that many believe could have been prevented with better security.

Scam of the day – August 23, 2015 – Ashley Madison class actions

A lawsuit has been filed in Canada against Ashley Madison seeking class action status on behalf of Canadian members of Ashley Madison whose personal information was divulged by hackers recently.  The action is being brought against Ashley Madison for failing to protect the privacy of the data that they compiled and retained regarding its members.  Meanwhile in the United States, the Oklahoma law firm of Abington, Cole & Ellery is also considering filing a class action against Ashley Madison on similar grounds on behalf of American victims of the data breach.

TIPS

For more information about the Canadian class action, you can go to the website of Charney Lawyers, one of the law firms that filed the action by clicking on this link. http://www.charneylawyers.com/Charney/ashleymadisonclassaction.php

For more information about the possible American class action, you can go to the website of Abington, Cole & Ellery by clicking on this link. http://abingtonlaw.com/Ashley-Madison-Data-Breach-class-action-lawsuit.html

As for the rest of us who never had any involvement with Ashley Madison, this data breach should serve as a cautionary lesson that every company or governmental agency is susceptible to data breaches and that we all should try to limit as much as possible the amounts of personal information provided to any entity with which we do business. In addition, because of the likelihood of a data breach, never provide information to a company that you would be embarrassed to be associated with.