If you are not from the San Francisco Bay Area, you may not know that hackers gained access to the website operated by The Bay Area Rapid Transit (BART) Police Officers’ Association, then stole and posted personal information on more than 100 officers. The officers’ home and email addresses were leaked along with passwords.
This is an extremely serious breach. With two officer-involved shootings in the last couple of years, there is a lot of controversy surrounding the organization, and activists and criminals now know where officers and their families live.
This is a breach that did not have to happen. I cannot think of any reason why extremely confidential information was on the web in the first place. What rationale could there be for anyone to be able to login to a public-facing website and look up the names and home addresses of law enforcement officers?
So let’s assume that the home addresses were not on the web server, and just the officers’ passwords were disclosed. For me to login to a website, the web server needs to validate my user name and password. I enter them into my browser, and they are sent from my computer to the server (I hope that the link is encrypted!) and the server validates them.
The server does not need to store my password, but can store a “hash” of it. When I first create my account, a one-way encryption algorithm takes my password, runs it through a mathematical transformation and then stores the result in the user database. Every time I login after that, the password that I enter into my browser is sent to the server where it is hashed and compared to the stored hash. If they match, I am granted access.
A good hash algorithm will prevent “working backwards” to discover the original password if the hash is known. The downside of hashing passwords is that if I forget my password, the system cannot email it to me, which is a breach unto itself! Instead, the site will need to implement a password reset mechanism whereby I will need to prove who I am in order to select a new password.
Do you know how your passwords are protected? You may want to check in with your IT department or the services provider that is hosting your website.
Data disclosure is just one type of data loss. Your homework is to write a short paragraph on what data loss means to you and enter it into the comments below. I will discuss data loss in general in my next article.