September 26, 2012
On the heels of a Forrester Research study's indication that employees are responsible for most data breaches, a new report was released that details a national agency's mistake of leaking some of its members' personal information.
According to Romanian researcher Radu Dragusin, who discovered the incident, the Institute of Electrical and Electronics Engineers (IEEE) is the latest organization to experience a data breach on its FTP server, which led to the exposure of names and passwords of its 100,000 members, Network World reported.
The IEEE is a professional technology association with 400,000 members and a tradition of developing agreements for technical standards.
According to the source, Dragusin, who is a teaching assistant at the University of Copenhagen, claimed that the confidential information was publicly available in plain text for a month before he found the mistake. Victims of the breach included employees of Apple, Google, IBM, Oracle and Samsung, as well as NASA and Stanford researchers.
Dragusin uncovered the incident on September 18, but was unsure how to proceed. A few days later, he informed the IEEE, and the agency resolved the problem in a matter of hours, but has yet to publicly acknowledge the breach, the source reported. To protect the identities of the victims, the discoverer of the breach does not plan to post the log information online.
What went wrong
The biggest problem about this case, experts agree, is that the IEEE did not implement stronger network security measures to its web server logs located on ieee.org and spectrum.ieee.org, Network World reported.
According to Torsten George, the vice president of marketing at Agilent Technologies, IEEE was also keeping passwords in plain text as opposed to using encryption. As reports show that data breaches are increasing among corporations, companies should know better than to store confidential data in an easy-to-access format.
ZDNet reported that after an analysis of the information, Dragusin found the most popular password IEEE members used for their accounts was 123456. This detail should remind internet users to create complex passwords that combine numbers and letters as a form of data loss prevention to make it difficult for a person to crack, according to experts. Because "123456" and "password" are so common, cybercriminals will test those codes first.
-McAfee Cloud Security