A recently filed class action lawsuit (download complaint) against RockYou highlights the very real threats to businesses related to hackers stealing customer data also known as personally identifiable information (PII).
According to the complaint filed in federal court in San Francisco, RockYou is a publisher and developer of popular online applications and services for use with social networking sites such as Facebook and MySpace. RockYou allegedly exposed 32 million of its users to identity theft by failing to encrypt or otherwise protect email account information and passwords. The suit alleges violations of California Civil Code, breach of contract, and negligence.
Jason Remillard of Web Host Industry Review provided a detailed post on the lawsuit noting that RockYou may face more difficulties than expected because RockYou is a "launchpad type of service, that hold credentials for other services (myspace, facebook, etc)…" As such, RockYou may face liability for data exposures across other platforms.
Mr. Remillard notes that he has been warning site owners about the risks of holding PII information of consumers. I agree with Mr. Remillard that avoiding storage of such personal data in the first place is often the best way to prevent liability exposure for both loss of data and a security breach. If a business must store PII in its systems then a data loss and security plan must be in place to protect the data. In prior posts, I offer some suggestions and tips for Connecticut business owners that have sensitive data or store PII of its customers.
Dave Kravets of Wired.com offers some more details about RockYou’s alleged security failures that apparently resulted from the same common vulnerability exploited by hackers in the cases of Hannaford Brothers, 7-Eleven and Heartland Payment System. The vulnerability results from RockYou’s SQL database,which relates to the actual storage method and management of millions of email accounts and passwords. The complaint against RockYou alleges that the prior well publicized flaws in SQL should have been addressed with readily available protection measures.
Brennon Slattery of PCworld wrote about the security breach and compared RockYou’s security system to storing passwords and emails on sticky notes. He noted that RockYou stored the information in plain text words. In other words, once the hacker got inside RockYou’s system, the passwords and email accounts were easy to read like sticky notes because there was no encryption of the text.
RockYou has issued a statement explaining the breach and intends to defend the lawsuit. RockYou also has implemented new steps to avoid future breaches including implementation of encryption for all passwords. Encryption is the method used to make the passwords unreadable once the hacker gains access to the system.
The RockYou case is another example of the increasing number of data loss and security lawsuits and should serve as a reminder to any business that stores PII to implement a data loss and security plan.