LivingSocial Hack: Unanswered Questions
Attorneys Analyze Breach Response, Security Issues
After an April 26 attack on the website for LivingSocial exposed information about 50 million customers, the company's public response left too many unanswered questions, one legal expert says.
The company, which offers featured discounts and daily deals for stores worldwide, revealed that compromised information included e-mail addresses, encrypted passwords and dates of birth for some users. It requested that users reset their passwords. And it stressed that a separate database that stores customer credit card information was not hacked.
See Also: OnDemand | Realities of Choosing a Response Provider
Access to Information
Although attorney Ronald Raether says LivingSocial did a good job of communicating certain information to customers, he contends that it left some important questions unanswered.
A key question that should have been answered is: "What did the bad guys get away with?"
"One thing I haven't seen talked about is [whether] LivingSocial had the means of being able to tell whether someone was able to take stuff out [of the database]," says Raether, partner at Faruki Ireland & Cox in Dayton, Ohio. "By being silent, you assume the worst. The assumption is bad guys got away with 50 million e-mails and hashed passwords."
Raether, who specializes in data security issues, criticizes LivingSocial for providing too many technical details about its salted and hashed passwords, which he says are meaningless to the average consumer.
The attorney also says the company should have done more to warn consumers about phishing attempts that might take advantage of the exposed e-mails.
"If I had to balance my [communications], it would be to ensure everyone that credit card information isn't at risk, you need to change your password and emphasize to not trust e-mails you're getting," Raether says.
While LivingSocial isn't discussing any details of the attack, which is now under investigation, it confirmed in an e-mail that it's notifying more than 50 million customers whose data may have been affected by the cyber-attack.
Adequate Protection?
Attorney David Navetta, a security specialist with Information Law Group, questions if LivingSocial customers' passwords were adequately protected, based on statements from the company.
"I don't know if the hashing may have been at the highest level to prevent certain types of brute-force [attacks]," he says. "I find it interesting that they say they would use a higher level of encryption going forward."
While information on the attack is still sparse, Navetta feels more will be revealed in the coming weeks.
"Many companies wouldn't even report something like this if they felt the data was properly encrypted," he says.
Large cyber-attacks, like the one affecting LivingSocial, are becoming more common. For example, LinkedIn last June confirmed that approximately 6.5 million hashed passwords were posted on an underground hacker forum, and it acknowledged that some of the passwords were decoded and published [see: LinkedIn, New Breaches Raise Issues].
In the wake of these attacks, companies must do "damage control," Navetta explains. And this can prove challenging because "after a breach of this magnitude and complexity, it is difficult to do an investigation quickly and get the information right."
