These attacks are among the hundreds of online security breaches this year alone, compromising data of more than 22 million people, according to the Privacy Rights Clearinghouse. Targets have included Citigroup, Lockheed Martin and even RSA Security, which makes password tokens that big companies use to protect themselves from intrusion. A survey earlier this month by the Ponemon Institute found that 9 out of 10 companies had suffered an online attack in the last 12 months.
Companies and the government are unprepared. Citigroup didn’t track patterns of activity on its credit card site and failed to notice immediately when hackers took data on more than two million card users, said Avivah Litan, a security expert of Gartner. Sony didn’t encrypt the data of users of its PlayStation network — phone numbers, passwords, e-mail addresses and account histories.
Recently, for several hours, Dropbox, a popular service for storing documents and other files in the so-called computing cloud, allowed anyone to log into any of its 25 million user accounts using any password. The company tried to keep the glitch quiet but was exposed by a security researcher. No wonder concern about Internet security from Americans has jumped sharply in the past few months. Technology professionals are getting cold feet about moving more operations onto the cloud when poor corporate security practices are exposing customers to devastating identity theft and fraud. This vulnerability could stymie the Internet economy.
There is no fail-safe technology that is immune to hacking. Online security will evolve as hackers and security experts work continuously to outwit each other. Still, current standards are too low. Companies — and the government — must devote substantially more resources to security, making it integral to every new application, rather than patching it on as an afterthought.
There are some signs of progress. Security experts are deploying a new worldwide system to identify Internet addresses that will make it very difficult to forge or spoof a Web site. In May, the Obama administration proposed legislation with sensible provisions to ensure that companies running critical infrastructure — like the nation’s power grid — have adequate systems to reduce the risk of an attack online.
The proposal would standardize 47 state laws on breach reporting, requiring notification of customers whose accounts were compromised. This could be a powerful incentive for firms to take security more seriously.
Other tactics are also needed. The Federal Trade Commission wants rules to force companies to minimize the information they collect from customers and to dispose of such data as soon as possible. The stolen Sony data, for example, had been on dormant servers for years.
We are putting our lives in the cloud, as companies and consumers store everything from family photos to corporate business secrets on remote servers. Beefing up online security is of paramount importance.