3 Data security lessons from Beautiful People

When a user signs up for a dating site, he might enter his interests, location, phone number and even an income estimate. He trusts the site will keep this information confidential. But, what happens when that sensitive data is exposed?

Dating website Beautiful People is one of the latest victims of sensitive data exposure. The culprit? Hackers. While users were busy browsing the site, the team was working to keep user identities secure – but at least one third-party culprit broke through the site’s security protocols. More than 1.2 million names were compromised in the breach. A security researcher, Chris Vickery, made this discovery while seeking other data. The site made an effort to increase security, but its data had already been exposed – and sold for a profit.

Though this incident is not nearly as severe as some of the other high-profile security incidents that have dominated headlines in recent years, it’s always a serious issue when personal identity is compromised. Companies can’t just secure their perimeters and ensure sensitive data will be safe. Instead, they need to proactively dig into files and identify sensitive content in order to properly manage it. However, there is a problem with this approach – companies don’t always have a strategy to gain visibility into their storage, never mind locate or protect critical information.

Every company is at risk of a security breach, whether it’s a dating site, hospital or educational institution. No matter the industry, IT and security teams can follow a few core tenets to ensure sensitive data remains out of attackers’ reach.

Constantly re-evaluate your security approach.

Securing sensitive data requires data-awareness. Some tactics to get you to this level of awareness include the following:

  • Constantly monitor your environment; the ever-changing threat landscape makes this a requirement.
  • Ask questions, such as “Where is our data living? Who can access it? How long has it been there?”
  • Use data monitoring tools to get more eyes and ears on the status of your data, and effectively assign a bodyguard to protect its most sensitive aspects.

Getting hacked can happen at any time.  

Even if you haven’t experienced a compromise, it never hurts to operate as though it has happened – or could happen at any second. When it comes to security, companies should expect the worst, even as they hope for the best possible recovery scenarios. By implementing measures that help track user activity, surface anomalous behaviors and shed light on unstructured data stores, teams can identify breaches that have already taken place (or are actively taking place) and mitigate accordingly. In the event that the activity has already taken place, organizations should plan on recovering data using timely backups. Of course, these backups must be tested regularly in order to have true value.

Know that recovery will be in sight – eventually.

 Depending on the size and scope of a security attack, an incident can put a company’s operations on hold – but there’s always an end in sight. In the case of Beautiful People, a first priority for the company might be to conduct a table-top exercise using the lessons learned from this breach. This process will help better prepare the organization to reduce its reaction time to a similar event in the future. It should also highlight the deficiencies in the preexisting process and mitigating controls. Once an organization is aware of its shortcomings, it can plan to implement corrective actions to prevent similar breaches in the future.

Are you prepared to withstand a data breach? Use our security budget checklist to find out.

1 Like
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.