Tom Burton, a director in KPMG’s cyber security practice, comments on news that a Russian gang has hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses. He argues that whilst the scale of the breach is eye-catching, the real issue is what they can do with the stolen data. He also argues that this latest breach might finally be the wake-up call businesses need when it comes to password protection.
Burton says: “Accessing more than a billion passwords takes a significant level of organisation and sophistication, but if ever there was an argument that size doesn’t matter, this is it. Each year the number of password hacks seems to be climbing, but such a large amount in one go begs a question about what the attackers are going to do with the information they now possess. One possibility is that the plan is to package the information, price it and sell it according to its usefulness.
“This latest breach also offers more evidence that passwords are losing their effectiveness as a protection mechanism. Individuals cannot possibly remember a different password for each website they use, let alone passwords with strength. In the short term individuals must take a more risk based approach, maintaining strong and unique credentials for those sites that would create the greatest impact if breached – such as bank or email accounts - while being pragmatic and using common passwords for sites that would be little more than an irritation if breached.
“The next step will be the rise of consumer-driven ‘two factor authentication’ using physical devices such as mobile phones to provide unique codes for each access - akin to one-time pads used by spies during the Cold War.
“The fact remains, though, that this latest hack of supposedly secure data is another example of the risks businesses face. Many will react to the news by changing passwords – which is a sensible move – but they would be better served taking a proactive stance against cyber threats and focusing on what they can do, in advance, rather than reacting to a publicised threat. The fear is that if this doesn’t prompt businesses and individuals to rethink how they are protecting themselves, the criminal fraternity will have a bright future ahead of them.”
KPMG Press Office
Mike Petrook, KPMG Press Office
+44 (0)20 7311 5271 (t), +44 (0)7917 384 576 (m) or email@example.com
Notes to Editors:
KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and operates from 22 offices across the UK with approximately 11,500 partners and staff. The UK firm recorded a turnover of £1.8 billion in the year ended September 2013. KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. It operates in 155 countries and has 155,000 professionals working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. Each KPMG firm is a legally distinct and separate entity and describes itself as such.