ID theft protection firm, Lifelock has ironically failed to implement appropriate security measure for its customer data. Customers who had hired Lifelock, after they had experienced a breach, to monitor and protect their identities have been left vulnerable.
Mark James, Security Specialist at IT Security Firm ESET, explains where Lifelock went wrong and what affected users can do:
Does any company have the right to make such bold claims? (Offering $1 million guarantee to compensate customers if they become victim of identity theft after signing up to the service)
“As seen here bold claims don’t necessarily indicate a good solid business model. Offering to protect your identity and then taking very little measures to secure that data is like a bank stacking the money in the corner behind a privacy screen; it’s a natural target and will get attacked sooner or later. We have to take companies’ claims and marketing messages on face value, associate those with reviews from other users and judge for ourselves whether they are suitable for our needs. The problem in this and many cases is we do not have access to their security systems. We expect all the bells and whistles, we expect 128 or 256 bit AES encryption and we expect them to do what they say – Protect our data!”
What should have been done by Lifelock?
“Lifelock made claims that any data stored on their servers which included names and addresses, birth dates, Social Security numbers, and credit or bank card information would be encrypted and protected in “other ways” and accessed only by authorised employees on a need-to-know basis but this clearly was not done. No encryption was used and even their password policy was poor which results in a complete cook pot of “Hack Me Soup”. Effective validated encryption, prioritising access along with good data management and very strong password policies should be done as standard. Data monitoring and routine checks to ensure their users data is stored in the most secure possible way should be the baseline for their security, then trying to add extra security and better protection should be their long term goals.”
What should users do?
“Sadly their data is vulnerable, changing passwords, trying to find a reputable ID theft-protection agency to protect what they thought was their protected data is the only thing they can do. Monitoring bank accounts and being aware of any targeted phishing emails will help to keep them safe but more needs to be done to check and validate companies that apparently protect “our” data.”