What does online gossip rag Gawker have in common with fast food restaurant chain
McDonald’s? In the past several days, both have fallen victim to
hackers who gained access to user databases.

The Gawker hack, in particular, has garnered a lot of attention because
the hackers seem most interested in humiliating the popular blog. They
have released the emails and passwords of more than 1m of Gakwer’s
registered users.

These two high-profile data breaches are far more than just embarrassments to the companies that have to answer to them. They also serve as a powerful reminder that the personal data we share across the web is always liable to fall into the wrong hands.

Even if that data seems innocuous when we provide it, it some cases, there’s a lot that can be done with it. Because many people use the same password, for instance, more important online accounts, such as financial accounts, are put at risk.

For companies operating online, there are several key lessons that can be learned from the Gawker and McDonald’s hacks:

Data security is a journey, not a destination. Data security is not a metaphorical box that companies can simply check off. Even if you do everything right when setting up shop on the web, it’s deadly to assume that your job is done when it comes to securing your data.

Data security requires a holistic approach. Hackers have a huge advantage against their targets: their targets can effectively defend themselves against 99 times out of 100 threats, but that one vulnerability can blow the doors wide open. Knowing this, companies need to approach data security from all angles with a very specific goal: designing an organizational structure under which risk is mitigated because a single breach is unlikely to give attackers access to all databases, applications and infrastructure.

Encryption isn’t enough. To its credit, Gawker wasn’t storing user passwords in plaintext (a big no-no of course). But just because it encrypted passwords didn’t mean that those passwords were secure.

Third parties are often the weakest link. McDonald’s itself wasn’t hacked. Apparently an “email database management firm” it relied on was the real victim. While it’s virtually impossible to eliminate risk when using third party vendors, companies can help reduce risk by choosing third parties whose data security measures live up to high standards and by conducting regular audits to ensure that the those standards are more than just words.

Collecting data is risky; storing it online for longer than you need it is even riskier.
In many cases, data is stored on the internet (or on networks accessible via the internet) when it really doesn’t need to be. In the case of McDonald’s, for instance, it’s quite possible that the database that was breached was old and conceivably could have been taken ‘offline’ with no ill effects on McDonald’s online operations. Which highlights a key point far too often ignored: whenever possible, data should be taken offline or deleted entirely.