Hell Week at LinkedIn: Hack Signals a Compromise of Reputation
By Jim Engineer, Principal, e-Rainmaker Public Relations
The June 6, compromise of approximately 6.5 million LinkedIn passwords (covered here and on CommPro.biz here) has had the professional social networking behemoth scrambling from a slew of negative publicity and user bewilderment on how such a ballyhooed social media darling could so easily be compromised.
LinkedIn (LNKD) went public approximately 13 months ago on the New York Stock Exchange (LNKD). Since then, and highlighted most recently by the Facebook IPO flop, the chorus of questions, speculation and expectation surrounding social media companies has grown louder. From varying valuations and questions on revenue generation to privacy and security issues, trust among the most prominent social media networks is waning.
LinkedIn and other social media networks rely on reputation building through positive user experience and viral adoption to gain traction. With more than 160 million subscribers (as of March, 2012), the LinkedIn password compromise reverberated loudly and had many in the security industry asking questions like: What security best practices were in place to detect, respond and contain the threat? Were incident response plans in place and used? What password authentication tools and other security investments were in place to combat the threat?
Two days following the breach, outstanding reporting from veteran security industry journalist Eric Chabrow revealed that publicly-traded LinkedIn had neither a Chief Information Officer or Chief Information Security Officer. Moreover, LinkedIn disclosed the breach to subscribers via a blog post by Vicente Silveira, a director, with instructions on how to remedy and safeguard LinkedIn accounts.
Why not put LinkedIn CEO Jeff Weiner front and center to address the problem and ways to protect accounts? Why not set up a hotline to address member needs? Why not use video as a better, more personable platform? Were FAQs distributed? Was any advance crisis communications plan in place?
Perhaps no better conjecture of the LinkedIn breach exists than a June 12 Sydney Morning Herald article by Nicole Perlroth titled: “LinkedIn hack exposes a lax attitude to security.” The article states:
‘What surprised customers and security experts alike is that a company that collects and profits from vast amounts of data had taken a bare-bones approach to protecting it.’
The article goes on to quote Silveira’s blog post and drills down further into the company’s claims:
Silveira, a director with LinkedIn, said the company had invalidated passwords for compromised accounts and said members would ‘benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.’
But Julie Inouye, a spokeswoman for LinkedIn, would not say when the company started hashing and salting its passwords, or why it did not enact these security measures in the first place.
Why the company didn’t hash and salt its passwords in the first place is mind-boggling and forces the ultimate question: What security investments and policies were in place prior to the compromise?
Just one week before the LinkedIn attack, Gartner predicted that by 2015, a majority of corporations will be monitoring employee use of sites like Facebook and YouTube for security breaches. While fewer than 10 percent of companies monitor social media use for this purpose today, the figure is expected to jump to 60 percent in the next three years.
Read more: Gartner: More companies to monitor social media for security purposes – FierceCIO http://www.fiercecio.com/story/gartner-more-companies-monitor-social-media-security-purposes/2012-05-30?utm_medium=nl&utm_source=internal#ixzz1xcGwmyqM
Today’s advanced malware permeates through many channels: Twitter direct messages, shortened links, embedded malware in videos and ads, and systematic password cracking, to name a few. Passwords are vulnerable if not changed regularly, or if the same password is used on multiple online memberships.
As consumers of social media we are interconnected, more in touch and more in synch with one another for our own vested interests. Yet can we continue to use social media without demanding more data security accountability from social media service providers?
Social media networks risk their own survival without a proper realization of today’s threats, and how truly vulnerable we are to sophisticated social engineering attack schemes. Reputation, goodwill and true equity in a social media relationship are all tied to the platform’s ability to provide a safe, valuable and sustainable user experience.
Social media networks should embrace the role of security and privacy in the user experience, as well as the inevitability of attack that is all too commonplace and sadly proven over time. Getting caught flat-footed again may cost LinkedIn by way of user exodus, or the emergence of new professional networking platforms that are more secure and scalable for the long term.
Jim Engineer is principal of e-Rainmaker Public Relations, a boutique PR practice specializing in the information security industry, currently in its 14th year of business. Jim is a recipient of the 2011 Bulldog Reporter Stars of PR Media Relations Professional of the Year Award for MANDIANT Buzz | Responsible Media Relations for the Information Security Industry. Jim can be reached at email@example.com or @jimengineer on Twitter.
Published: June 13, 2012 By: