Thales Blog

Server Security Issues Plague LivingSocial

April 10, 2014

Popular ‘daily deal’ website LivingSocial became the latest company to fall afoul of hackers when its servers were recently breached. The company had to undertake the unenviable task of informing some 50 million users that they needed to reset their passwords following the cyber-attack.

Of course, LivingSocial is hardly alone. Evernote suffered a similar attack in recent weeks, and countless other companies that have discovered that their security posture is not up to defending against modern threats.

These breaches demonstrate considerable failures in server-level security. With servers holding the “crown jewels” of operational information, neglecting to ensure that your server data is sufficiently protected is a breach just waiting to happen.

Looking at the information that’s available on the LivingSocial incident, it appears that while the passwords were salted and hashed, this type of partial one-way encryption left the data not as well-protected as it could have been.

While it has been reported that the databases containing customer credit card and merchants' financial information were thankfully not affected, the hackers may have pilfered users’ personal information in this breach. Unfortunately for LivingSocial and other firms that experience these incidents, it is exactly this type of data – names, email addresses and dates of birth – that prove instrumental in crafting other social engineering campaigns later down the line.

With cyber criminals bent on infiltrating systems and grabbing valuable data by assaulting company servers, every enterprise that relies on legacy approaches like perimeter security could just as easily fall victim to a similar attack. And for companies that are embracing Big Data and the cloud without security at the forefront of their minds, the business risks can quickly become enormous.

Given all the recent cyber attacks, companies around the globe must start taking a data-centric security approach to protect what matters. Combining encryption and access controls with detailed database monitoring is the best way identify advanced threats, compromised accounts and malicious insiders before it’s too late and you’ve become next week’s data breach headline.