- Gets Rocked again - this time a PII Lawsuit

Saturday, January 02, 2010

Jason Remillard


Cross posted from:

Well, its happened. This time, the users themselves have taken action against for their inadvertent disclosure of customer information.

As we previously reported, Rockyou was hacked and disclosed it looks like over 32,000,000 accounts. Yes, 32 Million!

What is interesting about this case, for me anyways, isn’t the large disclosure number (1 million, 30 shmillion), its the fact that the lead plaintiff is accusing of disclosing PII (Personally Identifiable Information) as part of the exposure. This will open up Rockyou to a lot more legislative-litigation than a simple information disclosure — now we’re dealing with users’ personal information. As noted, Rockyou is a launchpad type of service, that holds credentials for other services (myspace, facebook, etc.) as part of their service.

The suit alleges that “RockYou recklessly and knowingly failed to take even the most basic steps to protect its users’ PII (personally identifiable information) by leaving the data entirely unencrypted and available for any person with a basic set of hacking skills to take the PII of at least 32 million customers.”
Read more:

So now, Rockyou is being claimed to be responsible for exposures across the OTHER platforms as well. As part of our risk mitigation service, we’ve been warning site owners about the risks associated to holding PII information of consumers. Its not just the email addresses alone that are risky (like the aweber hack reported last week - I expect the impact of the aweber hack to be less litigious). The aweber attack was ‘just email addresses’ that were exposed – fairly low on the PII-scale.

On the side, the PII exposure seems to be much larger since the PII information included not just names and addresses, but now account information for other services. So, from a ‘customer’ perspective, the information could be the cinch point in targeting people who are otherwise trying to be anonymous.

Consider this: A user has a facebook account, blog service, and a myspace account. Consider this person has a private profile on facebook, an open blog, and an open myspace account. Consider that the myspace account has some er…. risque content.. on it (pick your genre). To date, this person was afforded privacy since he/she could operate these services independently of each other. Now, with the exposure, you have account information for everyone, on each service. Anyone looking through the data could stitch the services together and paint a pretty complete picture of this persons activities.

THAT is what makes this exposure large and frightful. Rockyou was entrusted with the information, really did little to protect it (as evidenced with clear-text passwords, etc.). As well, the exposure was documented ‘nicely’ by the hacker. That is, he posted enough information to document the hack. He didn’t expose the information to the masses. However, if this hole was there for xxx time (weeks, months, years!?!?), who knows who else has this information, and what its being used for.

As business owners, we should be greatly concerned and watch this case with interest. Since, other than big names (like Verisign, Heartland, etc.) who simple swept it under the carpet and bought out the exposed people, this is one of the first ’small’ companies being hit with this exposure and the lawsuit.

Reading the language of the lawsuit, you’ll see many joining this class action suit, and the damages will probably rock quite hard. Since they are small, don’t have the teams and reams of lawyers the big guys have, and potentially, if they lose the case, would probably shutter the service.

So, a greatly valuable and popular service is now at risk (business-wise and otherwise), because they didn’t invest in simple ongoing security scanning. Like insurance, you only need it when you need it. I suspect the management in hindsight would’ve invested a small amount in a regular scanning service like ours. Its ‘cheap’ insurance, and our solution would’ve reported the exposure the second they got a scan.

Knowledge is power, and protection is imperative in this time and age. Not investing in simple security measures like this, really is criminal.

Possibly Related Articles:
Breaches Privacy
Legal breaches Privacy
Post Rating I Like this!
Anthony M. Freed Trust me - the legal community is just getting up to speed on a lot of these PII issues, and they preparing years and years of litigation strategies depending on how some of these early cases turn out.

Toss in SOX and other SEC and FTC regs, and we might have a perfect storm.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.