Page 324 -
P. 324
YOU’RE ON LINKEDIN? WATCH OUT!
L inkedIn is one of the most prominent social networking sites on the Web. LinkedIn
has over 160 million members, mostly career minded white-collar workers more inter-
ested in networking than being social. Users maintain online resumes, establish links
with their colleagues and business contacts, and search for experts with answers to
their daily business problems. People looking for jobs or to advance their careers take this ser-
vice very seriously. By any measure, LinkedIn has been one of the top tech success stories in
the last decade. The company is now valued at over $12 billion.
In June 2012, however, the company suffered a staggering data breach that exposed the
passwords of millions of LinkedIn users. Hackers breached LinkedIn’s security and stole 6.5
million user passwords, then posted the passwords publicly on a Russian hacking forum. In the
aftermath of the breach, LinkedIn users and security experts alike were stunned that a company
whose primary function is to collect and manage customer data had done so little to safeguard
it. LinkedIn had woefully inadequate computer security, especially for a highly successful tech
company with healthy cash reserves, a strong bottom line, and talented employees.
Security experts criticized LinkedIn for not having a chief security officer whose primary
job is to guard against security breaches. But even more surprisingly, LinkedIn was found to
have minimal password protection via encryption and did not employ several standard encryp-
tion techniques used to protect passwords. Most companies will use a technique known as
“salting,” which adds a series of random digits to the end of hashed passwords to make them
more difficult to crack. Salting can be performed at little to no cost with just a few additional
lines of code. Most companies use complicated cryptographic functions to salt passwords, but,
incredibly LinkedIn had not salted its users’ passwords at all, the security equivalent of leaving
one’s valuables unattended in a crowded area.
Most companies store hashed passwords on separate, secure Web servers to make it more
difficult for hackers to break in. The total cost for a company like LinkedIn to set up robust pass-
word, Web server, and application security would be in the low six figures, but the average data
breach costs companies $5.5 million, according to a Symantec-sponsored study by the Ponemon
Institute. LinkedIn's losses might end up being even higher than that, which makes their near
total disregard for data security even more surprising.
Some security experts believe that the lack of liability for companies like LinkedIn is a major
reason for their lax security
policies. Unlike other indus-
tries, where basic consumer
protections are overseen and
protected, computer security
and social network data secu-
rity are not regulated and are
poorly protected by many
companies. Additionally,
with social networks, people
tend not to leave a service
because of a data breach. For
example, in the wake of the
breach, many users wanted
to leave LinkedIn, but opted
not to because it is the most
prominent social network for
business networking.
© Rafal Olechowski/Shutterstock
323
MIS_13_Ch_08 Global.indd 323 1/17/2013 3:10:18 PM
