What does online gossip rag Gawker have in common with fast food restaurant chain McDonald's? In the past several days, both have fallen victim to hackers who gained access to user databases.

The Gawker hack, in particular, has garnered a lot of attention because the hackers seem most interested in humiliating the popular blog. They have released the emails and passwords of more than 1m of Gakwer's registered users.

These two high-profile data breaches are far more than just embarrassments to the companies that have to answer to them. They also serve as a powerful reminder that the personal data we share across the web is always liable to fall into the wrong hands.

Even if that data seems innocuous when we provide it, it some cases, there's a lot that can be done with it. Because many people use the same password, for instance, more important online accounts, such as financial accounts, are put at risk.

For companies operating online, there are several key lessons that can be learned from the Gawker and McDonald's hacks:

Data security is a journey, not a destination. Data security is not a metaphorical box that companies can simply check off. Even if you do everything right when setting up shop on the web, it's deadly to assume that your job is done when it comes to securing your data.

Data security requires a holistic approach. Hackers have a huge advantage against their targets: their targets can effectively defend themselves against 99 times out of 100 threats, but that one vulnerability can blow the doors wide open. Knowing this, companies need to approach data security from all angles with a very specific goal: designing an organizational structure under which risk is mitigated because a single breach is unlikely to give attackers access to all databases, applications and infrastructure.

Encryption isn't enough. To its credit, Gawker wasn't storing user passwords in plaintext (a big no-no of course). But just because it encrypted passwords didn't mean that those passwords were secure.

Third parties are often the weakest link. McDonald's itself wasn't hacked. Apparently an "email database management firm" it relied on was the real victim. While it's virtually impossible to eliminate risk when using third party vendors, companies can help reduce risk by choosing third parties whose data security measures live up to high standards and by conducting regular audits to ensure that the those standards are more than just words.

Collecting data is risky; storing it online for longer than you need it is even riskier.
In many cases, data is stored on the internet (or on networks accessible via the internet) when it really doesn't need to be. In the case of McDonald's, for instance, it's quite possible that the database that was breached was old and conceivably could have been taken 'offline' with no ill effects on McDonald's online operations. Which highlights a key point far too often ignored: whenever possible, data should be taken offline or deleted entirely.

Patricio Robles

Published 14 December, 2010 by Patricio Robles

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

2642 more posts from this author

You might be interested in

Comments (1)

Peter Duffy

Peter Duffy, Business Development Director at e-Dialog

Organisations that regard data security as an important issue may want to check whether their ESP or CRM provider adheres to any internationally-recognized data security standards. The most widely recognized standard is ISO 27001 - the ISO standard for data security.

over 7 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.