Some companies are failing at a primary security measure
Some major tech companies are failing at a primary security measure. They aren’t encrypting sensitive data and storing them as plain text. That is concerning!
Yesterday the news came out that Freedom Mobile, the mobile telecommunication company that is currently owned by Shaw had a server that was leaking log files containing information in plain text. The logs customer names, email addresses, phone numbers, postal addresses, and date of births. They also included answers to credit checks filed through Equifax as well as full credit card numbers, expiry dates, and verifications numbers. All stored in plain text and unencrypted. (Source)
Speaking of Equifax, they had a significant data breach in 2017 where hackers stole millions of customer data, and guess what, passwords were stored in plain text and unencrypted apparently. (Source)
This March, Facebook accidentally logged and stored passwords in plain text (Source)
Yahoo had a data breach in 2012 where hackers took +400,000 unencrypted credentials. (Source)
Encrypting sensitive data before storing them in a database or anonymizing them in logs is not an advanced concept. Even elementary level developers know about that. It is one of the first lines of security that developers learn about in school. If a company acquires legacy technology and data, encrypting sensitive data should be their number one priority before even attempting to continue using the service.
Plain text data can be handy to hackers. People tend to reuse the same email and password on multiple services. When hackers get their hands on one email and password, they can gain access to the other services that the same person has been using. A lot of times, people won’t find out that there have been suspicious activities on their blogs, bank accounts, Netflix accounts, and so on. That’s because hackers are using the correct credentials to access those accounts.
It’s hard to tell why these mega large tech companies have failed in one of the most basic security measures, but it is gravely concerning.