On November 23, Security Researcher Troy Hunt notified online image-sharing community Imgur of a potential information security breach. He believed that he had received data, including information about a large number of Imgur users. Imgur confirmed on November 24 that in 2014, cyber criminals had compromised the emails and passwords of 1.7 million Imgur users.
Imgur users have never been asked to provide names, addresses, phone numbers, or other personally identifiable information (PII), so the criminal hackers had no other data access.
Hunt emailed Imgur’s COO Roy Sehgal and then it was forwarded to the /CEO Alan Schaaf, and Vice President of Engineering Ron Benson with news of the data breach, the company delivered a swift response. No more than 25 hours and 10 minutes later, Imgur began emailing users affected by the breach requiring them to update their passwords. A public announcement was also issued by 4:00 pm PST that day.
Troy Hunt’s Tweet acknowledging Imgur’s prompt response to the data breach:
Imgur is investigating the data breach. Sehgal asserts that, although the organization uses password encryption in its database, criminal hackers may have infiltrated an “older hashing algorithm” named SHA-256. This algorithm was replaced in 2016.
Ensure timely data breach notifications under the upcoming GDPR
The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, which requires organizations to disclose details of a personal data breach within 72 hours. Any organization that processes the personal data of EU residents will fall under the GDPR’s scope. If a business fails to report a data breach, it will face fines of up to 4% of its annual global turnover or €20 million – whichever is greater.
Lower your risk of being hit with stiff penalties by implementing an information security management system (ISMS) that achieves ISO 27001 accreditation. ISO 27001 is the auditable international standard that defines the requirements for an ISMS. IT Governance can support your organization in implementing an ISMS that is based on ISO 27001. Download our free green paper: Implementing an ISMS – The nine-step approach.