A Russian hacking group reportedly engaged in the largest known cyberattack by amassing over 1.2 billion unique sets of usernames and passwords and 500 million email addresses from more than 420,000 web and FTP sites. The attack was uncovered by Hold Security, an information security company based in Milwaukee, which has been investigating the attack for several months. Various news reports have confirmed the company’s findings.1 Among the victims are “leaders in virtually all industries across the world,”2 including “the auto industry, real estate, oil companies, consulting firms, car rental businesses, hotels, computer hardware and software firms and the food industry,” but Hold Security is not naming specific victims.3 The security firm intends to reach out to individual victims confidentially.4 The Russian hackers reportedly utilized a hacking technique known as a SQL injection, which exploits a security vulnerability in an application’s software to inject malicious code.5
Companies that are victims of the cyberattack that collect information from California and Florida residents may have an obligation under those state data breach notification laws to notify affected individuals and government agencies. In California and Florida, personally identifiable information includes an email address or username in combination with a password, among other data elements. If consumer usernames or email addresses and passwords were stolen by the Russian hackers, companies that collect that information from California or Florida residents may have a duty to notify the consumers and report the breach to government authorities.
In addition, even the state data breach notification laws that do not define personal information to include usernames and passwords may be implicated if there is evidence that the hackers use the stolen usernames and passwords to gain access to a consumer’s account and are able to obtain additional personal identifying information about the consumer from the website. For example, the hackers could use the login information to gain access to the user’s account information, including potentially the consumer’s name, date of birth, address or account numbers. Although there are no reports that the hackers have used the username and password information to gain access to additional personal identifying information
available on the websites, if that activity is suspected, entities may have an obligation under state data breach laws to notify consumers.
This massive attack highlights the need for increased website security across all industries. Companies should no longer rely on “trusted” web applications to adequately protect their information. Instead, companies should focus on implementing their own network defenses. Website managers should immediately start testing their sites for intrusions and update any patches available for their web servers, database servers, and applications. Clients should also contact third-party service providers to ensure that those vendors are monitoring for fraud and updating any security patches. Clients should take proactive measures immediately, such as performing a risk analysis to assess potential risks to the personally identifiable information they collect and maintain. Clients should ensure that they collect only data that is necessary and adopt technical measures to protect data, including encryption or suitable hashing mechanism. Clients should also update privacy policies and procedures, and implement procedures to identify and respond to breach events.