What are the implications of LinkedIn’s latest data breach?

How the breach is likely to have occurred

Although the cause is as yet unknown, this breach is likely to have the same culprit as most large scale data breaches that have occurred in recent memory, through a simple misconfiguration of a server or shared repository.  As the sheer size, scale, and footprint of global technology vendors like Microsoft, Facebook, Google, and so on continues to grow, so too does the opportunity for simple errors to make their way into some infrastructure configurations that can then be exploited.

What this means for users and individuals

It means the same thing that many other breaches have meant: your personally identifiable data is accessible to those who seek it on the dark web.  This is nothing new: welcome to the club – a club that you’re probably already a member of.  Modern commerce demands that individuals provide enormous amounts of data to vendors, often without thinking about it, or at best put it down to the cost of doing business with that organization.  This is doubly so for social media platforms.  We put faith and trust in those organizations that we do business with to protect any disclosed information; however, data breaches have more or less become an unfortunate consequence of continued insecure practices within many organizations.

The cybersecurity repercussions for LinkedIn and the effects on the brand

Considering this is the second large scale data breach from LinkedIn, I’d say the effects on the brand will be minimal.  While trust in Microsoft (owner of LinkedIn) and its services will be impacted, that impact will likely be metered based upon Microsoft’s response to this breach.  If the company goes the route of some other breached organizations and simply offers each user a year of credit monitoring, that will probably not hit the mark.  To address this concern, Microsoft will need to explain how the breach was allowed to occur, how it is addressing any compliance violations that the breach caused, what steps are being taken to prevent this (and similar breaches) from occurring in the future, and additional training they will be promoting.  That will go some ways to soothing frustration, but only time will tell regarding long term impacts.

Why this is a major breach of data privacy law and the impacts for LinkedIn

GDPR compliance is an enormous requirement, with considerable implications for those companies deemed in breach.  GDPR was not officially launched during the last LinkedIn breach (GDPR was launched in May 2018 and the previous major LinkedIn breach was 2012), so the implications of new privacy laws on such a breach is likely to be considerable.  The breach is also likely to have failed compliance with other data privacy legislation globally. This concern will be the single largest impact for Microsoft going forward.

Why Microsoft needs to invest more in cybersecurity

“Investing in cybersecurity” isn’t itself enough of a solution.  Microsoft invests billions into security as it is, but investment doesn’t equate to results.  This illustrates an enormous challenge amongst security professionals, as they must be aware of every vulnerability in their infrastructure and have a strategy to address it (a herculean effort)… adversaries need to simply find one vulnerability that lets them in. Cybersecurity controls that comprise people, process, and technology, and many organizations are due a serious overhaul in ensuring that these controls are fit for purpose.

Why trust is more damaging than any financial fine

Unlike a fine, trust is not an easily measurable metric.  The potential loss of customer trust could result in considerable loss of revenue for Microsoft (even eclipsing the cost of the fine itself).  Other entities have struggled to recover the public’s trust, but as entities like Microsoft have made their products and services indispensable for an enormous part of modern enterprise (combined with the public’s short term memory), any fallout is likely to be short lived.

What individuals can do to protect themselves when a data breach occurs

When it comes to information security, cyber hygiene is remarkably analogous to biological hygiene. Much like the immune system within an organism, poor digital security hygiene can result in an infection (security incident), that if not addressed could progress into a full-blown compromise (data breach). The expectation is that the breached organization will take active measures to mitigate the effects of the data breach, and it ends there. However, this is not enough. Much like taking precautions against spreading the COVID-19 infection, individuals must play their part in reducing their own levels of “digital security contagion”. Using a password manager, creating complex unique passwords for each service used, implementing multi-factor authentication whenever available, etc.  These are just some of the basic hygiene practices that if followed by everyone, would make the impact of such a breach negligible by comparison. If you use your LinkedIn password elsewhere, change it now. And change your LinkedIn password.