What does the Gmail hack tell us about data security?

Analytics Solutions Social Specialist, IBM

Data breaches are once again taking center stage in the news. This time it’s Google making headlines, after five million Gmail accounts and passwords were posted to a Russian bitcoin forum on Tuesday; claims on the website purport that sixty percent of these accounts are active and in use. Panicked Gmail users flocked to the hundreds of articles instructing them how to verify whether their account was hacked, how to ensure their email is secure and tips on password privacy and protection. To worsen the situation, hackers took advantage of the public panic through what is called a “honeypot” scheme wherein they promised to verify consumers’ security while actually obtaining private information.

Investigation by security experts and internet users revealed that the account information was not obtained through Google, but rather third-party sites where Gmail members used their email as a login. Suspected third party sites include Friendster and Filedropper. For this reason, many of the passwords are either old Gmail passwords, or were never associated with an email account.

search url bar.jpg

Google conducted its own investigation and released a report saying that they found only two percent of account information to be current and usable—about 100,000. This is much less than the “five million” number that is being thrown around in news headlines. It is still, however, a significant amount of Gmail users whose personal information is now compromised.

Most of the investigations seem to suggest that those 100,000 were accurate because their owners were using the same password for multiple logins—their email and their Friendster account, for example. Google offers two-factor authentication to help keep accounts more secure in the event of data breaches. It also has automated anti-hijacking systems in place to alert account users to potential hacks. As soon as the news about the leak hit, Google also took steps to identify at-risk users and notify them to change their access information.

In light of all these measures taken by Google, and the latest understanding of the leak origins, is this a case wherein a data breach was due not to company lack of preparation, but rather to user passivity with regards to their own personal security? It certainly did not help Google that this news came on the heels of a number of high profile company data breaches that raised public concern.

Today, personal information is increasingly available online in bulk and our online presences are becoming more interconnected through functions like “sign in with Facebook” or “create an account through your Gmail,” which aspire to create one singular profile for use everywhere on the web. As a result, users’ email, social media accounts, shopping profiles and online payment accounts are all linked in some manner. This web of personal data makes it more difficult to restrict security to the origin of the information—and makes data more vulnerable to attacks from predatory hackers.

Google will hopefully come out clean thanks to their quick response and the multiple security measures they already had in place to protect their users. The amount of news attention this leak received, though, shows that the public is aware of how much information they are putting on the internet—and concerned about how companies are protecting that data.

If you are interested in learning more about how business leaders are responding to the threat of sensitive data exposure, join John Kindervag of Forrester and Jeff Scheepers of IBM on Wednesday, September 17 for a webcast on Data Privacy and the 2014 Forrester Survey Results.