Any customer data, and especially PII, needs to be toxic. The toxicity needs to increase super-linearly with the total amount of data, because the value of leak does, too, while the difficulty of the breach probably does not.
It needs to be so expensive to store extensive data of millions of people that companies (or for that matter, the government) cannot wait to get rid of it.
Currently, most online shops nudge me towards opening an account and letting them store my data indefinitely (to facility marketing and reduce friction). They should do the opposite, nudge me towards not causing them the hassle of storing my data beyond the immediate business transaction.
I built an app back in 2012 for emotional journaling and I tried to collect as little data as possible from the user because I didn’t want to have the burden and legal responsibility to guard all that deep data. Many people in SV told me I was crazy not to collect data. It does make it harder to develop the app with so much uncertainty about how people are using it, yet I felt much more free knowing I wasn’t one hack away from exposing people’s lives.
ah, yes, I do ask them when I get the chance. Sometimes it would be a lot easier to just monitor them without having to ask. I mean, I'm sure it's a sliding scale of privacy/automation, but I still like doing it more manually, or rather, with more intentional consent.
Collecting data is just a symptom of a bigger disease called "marketing". You eradicate that disease and suddenly there's no reason to collect more data than necessary, along with a near-infinite list of other quality of life improvements like the lack of dark patterns, email and push spam ("newsletters" and "offers" as they call them), etc.
In that case the data was clearly needed for the essential service EasyJet provides, it wasn't marketing data. According to the article, the data stolen was email addresses and travel details, and for some customers credit card details (for customers who asked EasyJet to save them)
When I was applying for UK citizenship, they needed 5 years of all travel data (entry and exit into the UK). EasyJet's databases (and other flight providers') provided useful. Of course, you could wonder why the government even needs this data, or why they don't keep it themselves (I don't for a moment believe that UK government / spy agencies doesn't have all data about all flights in and out of the UK).
This is how I’m building my startup[1]. All data stays with the customer and we actively don’t want it, because that’s how I wish all my products worked. I suspect you will see more startups who treat data more respectfully in the future, as the next wave of founders have experienced the consequences of unrestricted data collection.
Having said that, I also think a large part of the problem is that treating data like toxic waste is hard. There are more established patterns for data collection than data destruction. How do you know when it’s safe to delete some piece of data? What if the user comes back and complains about a transaction after you’ve deleted the associated data?
Imagine EasyJet putting the burden of keeping all your transaction logs on you: "Passenger assumes responsibility of downloading this electronically signed package and keep it for 2 years"
On a completely tangential note: How does your product work with pets?
Ha, that makes me wonder if we could have a future standardized protocol where your browser handles the responsibility of storing a signed package of data, and sending it back to the company when needed. Basically treat each package of data like a product that might need to be RMA'd if there's an issue. Obvious first question is what happens when you switch browsers/devices.
Regarding pets: it'll depend on the size of your pet. For most people, the sensors properly ignore pets, but they can be confused by large dogs. You can adjust the sensitivity of the sensor, so it's generally only an issue if you have both large dogs and small children, and only want to count one of them. We're working on a software update that should help that scenario too. Feel free to send me more questions at neil@hiome.com :)
The government wants many companies to keep certain data, to prevent fraud by the customers (and sometimes the businesses). Decentralizing the data makes such frauds (including tax fraud) more difficult to audit or detect, so it seems unlikely that governments will permit it.
But wait, isn't this exactly how MOST businesses operate today? I certainly can't go to my local dry cleaners and request the transaction data for something that happened 2 years ago, much less any sort of metadata about that transaction (3 shirts, one blue two white, no starch). The normal principle most businesses adhere to is a strictly limited time period of "memory" of any particular transaction or interaction, after which it is solely the customer's responsibility to keep records.
> There are more established patterns for data collection than data destruction. How do you know when it’s safe to delete some piece of data?
I agree, but this is exactly analogous to the SDLC. Most coders only learn to hack together barely-working code. Those who spend the effort to learn the craft figure out how to {version control, unit test, static analysis, benchmark, integration test, upgrade library dependencies} and automate these processes.
Similarly, there needs to be a data lifecycle with defined retention lifetimes for different data, defined processes for actually disposing of data, and special handling cases for backup blobs (which may be retained longer than the retention lifetime of a subset of the data in the backups). This is effectively intended by the GDPR (not sure if it states explicitly) and similar laws.
Startups now have to think about things like GDPR and Cali's laws, so they have to think about this data more -anyway-.
> I also think a large part of the problem is that treating data like toxic waste is hard.
Yep. It's a -lot- of extra work to do. It's a balancing act between:
- Keeping data long enough to satisfy govt regulations, rulings, or existing contracts with your vendors (i.e. merchant account with a bank for CC processing.) You can't just order something from amazon, Send a GDPR request and expect all your data to be gone; They can't delete it until -after- those retention periods have expired.
- Following Regulations like GDPR/Cali Privacy law.
- Still doing meaningful things with the data.
Generally speaking, I'd say this is all stuff that makes a Data architect very handy in the modern climate.
Doesn't PCI require a payment processor to keep some amount of the transaction data for a specific period of time?
Personally, I love tokenized transactions / specialized payment processors (eg Apple Pay, Stripe, PayPal) because they actively work to keep most of the data away from etailers (who are generally not specialists in securing their checkout flow). The problem is the payment processor transaction fees can be steep (2.x% for most commodity CC processors all the way up to 15% for Apple Pay), so etailers lose on the margins and avoid the more secure options.
Having worked with EJ I just wanted to point out their system are insanely fragile. They never notified us about breaking changes and the system itself would go down multiple times. There was no CS when something goes wrong. And this was their B2B api. And from talking to ppl who were working in EJ a lot of things were being done on excel spreadsheets and emailed across.
Just wanted to give this info as a sort of reference. I remember when I first found out how they worked that I was so shocked that it wasn’t more of public knowledge
Interesting to hear, although a lot of companies still rely on emailing documents to each other. A few years ago I interviewed with a consultancy that provided a lot of development work for easyJet. They were operating under an old model of both work organisation and technology and not very keen to change. Interview went OK until I met the company CTO, who's personality left a lot to be desired. We ended up having a heated discussion about the need to innovate, or not in his case. Unsurprisingly, I never heard back from them.
I think I even know the person you are talking about and yeah... :D I do feel that there is a culture in these big OLD (=old ibm mentality) where there is no need to innovate and it always costs a lot to do things right. The only reason they do is because some engineers are really pushing for it and making it happen.
A limit always exists. If you don't enforce it yourself you will find out when someone decides to send you 64GB of data to hash as their password. So always better enforce the limit yourself.
Sure could be, but to play devils advocate maybe not, some hashing libraries have limits (silent truncation or otherwise) and/or it could be reasonable not to allow users to make the backend hash strings of unbounded length.
The bank I'm using has 2FA for all actions performed in the website, so that's my guess as to why they don't prioritize fixing the lame password requirement.
Exactly. 2FA is much more important than complicated password (not that I'm advocating to have a guessable one here), altogether providing acceptable level of security.
Every time I see passwords with a list of excluded characters, I assume their system breaks when processing such passwords in plaintext. Hashes wouldn't cause any problems.
It could also be because they had imperfect character escaping in the codebase at some previous point in time and didn't bother to migrate user credentials to work exclusively with the newer correctly-escaped code.
Fun fact: PHP used to escape some characters in some POSTed data by default before a specific version, then changed the default config:
> Prior to PHP 5.4.0, the PHP directive magic_quotes_gpc was on by default and it essentially ran addslashes() on all GET, POST and COOKIE data.[1]
I know for a fact some of users of a previous site I worked on had stored their password (hash) with one escaping mechanism, only to start failing authentication after that function was no longer used upon data input (all escaping should be done upon output for more perfect control of different security contexts eg. escaped HTML versus escaped SQL versus escaped JSON).
I remember reading that a somewhat-legitimate reason for blocking special characters is that it's a signal for keyloggers that the typed string might be a password.
After briefly searching Google, I couldn't find anything to support that theory though.
It's an interesting point, but I think when the user has a keylogger, they've already lost. I'd rather have websites disallow passwords shorter than ~10 chars which are trivially brute-force'able in case of a leak.
If special chars can be a signal for keyloggers, so are strings > 10 chars, and strings which are not all-lowercase/all-uppercase/first-capital. Basically to mislead the keylogger in this way, the user would have to use a short all-lowercase dictionary password :)
I jokingly like the idea of using utf-8 emojis in a password.
They're available on nearly all phones and web browsers, common enough to not be susceptible to those sort of keyloggers and don't show up in any of the largest dictionaries/rainbow tables.
Given the disallowed chars that's suggestive that the form used to be implemented as a GET, so it's possible passwords were in log files for a long time.
Is there a technical reason to use a GET for authentication? I've always seen it as a POST. If you use GET, won't your parameters be plainly visible in well, everything, unless they put them in the body and that's a whole nother can of worms.
No, https encrypts the URL as well (although the domain itself can be leaked via DNS). But in most respects query params are no different to the body security wise. The main difference is that if you bookmark it, you may end up storing your sensitive data in your bookmarks.
Query params often end in stuff like web server (WAF, load-balancer, reverse proxy, ...) access logs and they might get accidentally exposed.
They shouldn't get exposed of course, but they do. [EDIT: redacted an example of some random dude's access log]
If you search for "password" in there you will likely see a new Mirai bot variant [1] bouncing credentials off the server looking for weblogin.cgi on vulnerable Zyxel devices.
I imagine PA highlit this detail in their post ("weblogin.cgi accepts both HTTP GET and POST") exactly to ensure sure defenders don't restrict themselves to blocking or investigating only the more normal POST mechanism.
I had no clue the URL was encrypted too. So how does DNS work? Or does it send through plaintext the name of the server, and the rest of the URL has to be encrypted by the endpoint.
I have definitely seen some sites using GET for authentication, they tend to be ones that have been around for a long time and haven't been fixed. Can't remember the last time I saw this though.
I'm not sure when easyJet first started using online accounts, but "you can't use some URI query reserved chars" does seem like a strong indicator there used to be a GET involved.
No. GET params in the URL should not have security-sensitive data this wasn't always widely known. Even in HTTPS-everywhere world, there are still security implications.
Early versions of some PHP sites, for example, would pass around auth tokens (think the auth cookie) in a URL. This soon became an obvious problem when users copy-pasted their URLs into forum posts, non-HTTPS URLs were logged by proxies, and web server access logs became gold mines for maybe-still-active sessions.
It makes perfect sense, the company has completely screwed up in a way that's totally unrelated to Coronavirus, and now they're trying to conflate the two issues.
I imagine this data could easily be used for a scam, considering the vast majority of these customers would have had flights cancelled and are probably pending refunds. A simple "Your refund is being processed, please enter the details of the card you paid with" would be very convincing for all those desperate for their money back.
This statement is too funny. For those looking for the quote in the article, you will find it in the duplicate HN post's [0] article [1], of which its comments were merged into this thread.
6 months ago I went through every single website in my safari keychain and changed their password, even if the password was already unique.
I also removed my credit card at some point after this from every single website - and changed the card in real life. So even if there is a card number somewhere in a db, it's not valid anymore.
I'm tech savvy and this still took around a day, and it was a pain in the ass but hopefully mitigates some of the fallout from this hack - but to be statistically safe while continuing to use online services, id have to wipe my passwords and cards every few months given the frequency of hacks. I couldn't expect my family to put this much effort into doing this frequently.
The system of holding a central database is completely bust. It's just too juicy a target to keep the hackers at bay.
I really wish there was more effort today spent on changing this centralised paradigm to a decentralised one - my personal data should live on my computer, and my computer only. It should never ever leave it. It should always be hashed.
If there was some way for web apps to be distributed and ran on my own personal computer, with zero knowledge proofs verifying transaction on the third party services side we would seriously reduce the attractiveness of hackers going off these enormous databases. It needs to be as easy to secure this data as possible, and it needs to never be sucked up to somewhere else, and security patches need to be instantly applied over the top of my running kernel - without any hiccup.
Impossibly difficult you will scoff. No one wants to run their own software. They absolutely would if the tech industry put any effort into it. Also the fines need increased massively to incentivise action in this direction. It should be business-ruining if you lose your customers data like this.
If EasyJets systems are anything like their customer service, their in-flight food, their baggage handling or their scheduling, this is not surprising.
Partner had trouble doing an online check-in with EasyJet. Some kind of error. Arrived at the airport to be told that even though she has the ticket, she does not have a place. There were ~5 people with her in the same situation. 4 other people did not show up for the flight, so some of them got a seat after all. My partner did not, spent the night in the airport. Took about a year and loads of calling to get a compensation. At the end had to outsource it; the outsourced-compensation-getting ended up costing 200 euros.
Overbooking is actually incredibly common. Every flight has some number of passengers not show up. Airlines prefer to compensate one or two people for the fact that they didn't get a seat, instead of leaving some number of seats empty.
Getting compensated should be practically instant though, and definitely not take a year, so something went terribly wrong there.
This is common. I literally had to take Icelandair (another really terrible budget airline) to court because their engines don't work (really old planes)
Not only did their system have me logged in another flight in another continent (!), they flat out denied I had a claim even though I had to stay put more than 24h, a good amount of that in the plane.
After getting sued, they tried to backhand contact me (not my lawyer) to pay compensation.
Court made them pay.
Even if you're legally entitled to compensation Easy Jet is famous to let you jump through so many hoops, lie to you, hang you out to dry, let you wait forever until you just give up.
Outsourcing to some company like Airhelp (which, charges 35% of recovered compensation if successful) may be a viable option to just save you the headache, while sticking it to the carrier trying to stiff you.
Another anecdote. I had a EU Lufthansa flight that was cancelled a few hours before departure. That's 600 euros compensation no questions asked, in theory. When transfering the compensation, there was some kind of hiccup with the banks and it didn't arrive. It took me more than 6 months and more than 30 emails with customer service to get the compensation resent. 90% of the replies were "accounting says funds were sent; not our problem". Ended up using EU's out-of-court customer resolution system (recommended): I think that's what caused them to finally react.
> Is baggage handling specific to an airline? It looks like it's a service provided by the airport.
Generally you are right yes, it is airport service under one of the operating company of the airport.
However easyJet and other low cost airline have generally a very vertically integrated system where they try to operate almost everything themselves to reduce cost.
Some airport have entire dedicated terminal for them, I would not surprise if they manage also their luggage system in these airports.
I recon the more sensationalist they make the title and article the better. It doesn’t matter that it is technically inaccurate. It balances out the typically false response from these companies which usually starts with “We take the security of our customers data very seriously...”
> EasyJet said it first became aware of the attack in January.
vs
> The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
So either EasyJet was delayed in their reporting of the breach, or the ICO didn't feel it was urgent to notify 9 million people that their data had been compromised. But it is now 4 months later?
> we took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue. We also notified the National Cyber Security Centre and the ICO. We have closed off this unauthorised access.
Maybe the relevant supervising authority didn't find it important to notify those 9 million customers.
> Maybe the relevant supervising authority didn't find it important to notify those 9 million customers.
Which is a problem right? Now it emerges what has been breached. Including credit card data. Surely the prudent thing would have been to warn all their customers immediately to allow them to be on the lookout for malicious use of their data (phishing, etc.) and not wait until they have concluded their investigation.
Oh great, that probably explains the last few emails I got recently kindly telling me what my password is, and I should pay some bitcoin otherwise my weird browsing habits will be exposed to the world.
(edit)Ah no, no mention of passwords being stolen, so I guess it's from somewhere else.
From my experience reporting various GDPR violations is it clear that the ICO does not actually want to enforce the regulation so this is not surprising.
So I just went to easyjet.com and logged in and they don’t prompt to update my password. I wonder if failure to invalidate all accounts is their technical ignorance or if my account was simply not hacked? I assume the ignorance of course.
> EasyJet first became aware of the attack in January.
It told the BBC that it was only able to notify customers whose credit card details were stolen in early April.
Why would reissuing passports help? The old passport is still valid and only the government is actually able to tell whether it's cancelled (as they have access to the passport DB), but for all other intents and purposes (identity verification for banks, etc) the other passport still appears perfectly valid.
Stolen and lost documents are logged in an international data base. I have lost my ID a few years ago. Every now and then I am being asked at borders whether I have found it or it was still lost.
Banks check during the KYC process whether the document ID is on this blacklist. If yes, authorities are contacted.
Hence, once compromised/lost, apply for a new one and tell them what happened with your old one.
In my experience IDs are checked very informally by most companies such as utilities, etc. GDPR access requests usually require a proof of identity and I very much doubt they are checked beyond the details on them matching the account so it can be yet another vector for stealing more data based on the passport. Banks are probably the only place where they may be checked against s lost/stolen DB but it won't prevent you getting your SIM & phone number taken over because someone impersonated you to your mobile carrier.
The individual, as usual. Even if there's some legal recourse the inconvenience and expense will be larger than the payoff. And there's no legal framework to just be compensated by default in such cases.
Why would you need to cancel and reissue any passports? At worst the hackers might have stolen some passport numbers and expiry dates. What exactly could they do with those that would warrant issuing an entirely new passport?
Yes, there are many criminal ways to make money. It would be nothing new. For example, burning your house or failing business down to make a claim is probably as old as insurance.
So? It's still criminal. There are plenty of things that are provided by the government that are criminally gamed by a few that still provide a net benefit.
Some banks can generate a virtual CC ad-hoc, so you could have different CC details per each transaction. It's rare, I wish my bank did it, but it exists.
> Stolen credit card data included the three digital security code - known as the CVV number - on the back of the card itself.
I always thought that PCI-DSS standards mandate that the CVV must never be stored; I get that card number and expiry date may be stored for customer convenience purposes, speeding checkout when returning for a second purchase, but how on earth could they be compliant if they are stashing away CVVs somewhere?
Only a couple thousand had their Credit Card details stolen whereas nine million had information stolen.
This sounds like they were able to access the database to steal customer information and plant code on the website to scrape any future transactions before the Credit Card information is encrypted in the database.
Credit card information is needed as-is to be able to make transactions so hashing (and thus salting) doesn’t apply. Encryption is the best you can do.
Is it the case for anyone else that your login data is not invalidated? You’d think someone in their org would realize at least to invalidate the auth data?
Of course the attacks have to be “highly sophisticated” in order to beat the “world-class” system that “highly paid” EasyJet security experts have put in place to secure customer data, which EasyJet “cares deeply” about.
"highly sophisticated cyberattack" is just PR speak for "cyberattack" - and successful cyberattacks are far more likely to be the result of negligence from company holding the data than the sophistication of the attackers.
I once worked with a high level executive that left EasyJet and praised the company on how lean and small the team was. Apparently too lean and too small.
Unless you are being sued by the bank as the one who stole the money and this happens in another country and the time to claim your innocence is out. Then it’s you who suffers the fraud, not the bank :/ (talking from personal experience of a close friend)
Unfortunately, my friend is not able to enter the said country where he once was a resident anymore. Without spending tens of thousands dollars without clear promise of success it seems impossible to resolve this. Perhaps after some long time the debt to bank is cleared. In reality, it is actually the bank that should be sued for all this – they haven’t checked identity properly before giving out loans worth of tens of thousands $. It is not impossible that the bank employee is part of this. I am talking about the state of Israel, btw.
The summary is: fraudster with fake ID featuring real data of my friend but fake photo managed to get loans and credit cards from several banks/companies. Since my friend lef the country, he was not getting any of the post. After years these orgs opened collection cases against my friend. Since he was not in the country, the courts have judged him as debt-evader and allowed collection agency to act against him.
Yeah, I had something similar happen to me with a Swiss bank :( No loans they just emptied out my accounts and stock portfolio (I had lots of FAANG stock)
Contrast the BBC headline with Reuters’ ”Cyber attack on EasyJet gets details of 9 million customers”. I love the BBC content but the news output seems to be far too focused on number of eyeballs than “facts”/accuracy. I find it infuriating.
Not really "already" since the attack became known in January, before Covid-19 decimated the industry. Were you suggesting that they were already struggling? They made a profit of over £400M in 2019 so it doesn't sound like things were too bad.
Of course, this news doesn't help them now, but it doesn't seem to me like "poor old EasyJet, down on their luck and now this".
Easyjet have been a main airline within the UK for many many years. They may be struggling because of the current environment but this isn't a small operation who wouldn't have a security team.
It needs to be so expensive to store extensive data of millions of people that companies (or for that matter, the government) cannot wait to get rid of it.
Currently, most online shops nudge me towards opening an account and letting them store my data indefinitely (to facility marketing and reduce friction). They should do the opposite, nudge me towards not causing them the hassle of storing my data beyond the immediate business transaction.