Quora data breach: The industry reacts

The question-and-answer website Quora announced on Monday the company had suffered a major cyber attack, resulting in the names, email addresses, encrypted passwords, user account settings and IP addresses of 100 million of its customers to be compromised. 

It is reported that public actions and content including questions, answers, comments and blog posts were also accessed.

Law enforcement has also been notified, but the company has since stated the incident had been “contained” and it is believed that Quora users who had contributed data to the platform anonymously are not affected as the company does not collect identity information for those users that post anonymously.  

Another day, another breach

In the statement, the company said: “On Friday we discovered that some user data was compromised by a third party who gained unauthorised access to one of our systems.” The company added “that it is investigating the hack, and that its own internal security team will be working in tandem with a digital forensics and security firm in order to get to the bottom of the matter.”

With the world seemingly still trying to recover from last week’s Marriott hotel breach, which impacted roughly half a billion individuals, the Quora attack is another reminder for organisations to ensure security is in check. 

As a security measure, Quora is logging out those that are suspected to have been affected. The company is also sending out a password reset. 

Security experts take

In light of this, cybersecurity experts from the UK and across the Atlantic have had their say on the latest breach:

Javvad Malik, security advocate at AlienVault stated the breach was “significant, not just for the number of records taken, but also the information about individuals that was contained within. As we saw with the Cambridge Analytica fiasco, access to personal likes, tastes, and other preferences can be used against individuals.” Malik stresses the importance for companies that gather or possess a lot of personal information to seriously invest in security saying “this can start with the act of reviewing all data it holds and assessing whether all of it is necessary. Companies should also look so segment data, so that if a breach should occur, the damage can be limited to a subset of the data, as opposed to exposing it in its entirety.” 

Tim Erlin, VP at Tripwire believes time will tell as to the full reason why the attack occurred. He said, “unauthorised access” is a phrase that could cover any number of scenarios, from accidental disclosure to a sophisticated attack. While we might learn more about the details of this breach, they’re likely to come out well after the newscycle has moved on to the next incident.” Individuals should also be wary of any information they provide to organisations and this breach should act as “a good reminder that your personal data may be exposed through sites and services you don’t think of as sensitive.”

Disclosing all the details

The first line in Quora’s statement is rather telling for Julien Cassignol, senior IAM and PAM solution architect at One Identity, who feels Quora has a lot to answer for regarding their security.

“Firstly, Quora stated, “some users data”. Which data was accessed and compromised? Who accessed what? What was the motivation for that access? This clearly underlines the need to enable companies to be able to audit accesses made to data, both by automated actions and users. Deploying a sound logging infrastructure and enable auditing of privileged accesses to data provides this type of information.

“Secondly, the breach was initiated “by a third party”. How could a third party have the access to such sensitive data? How were they identified? Did they have the appropriate entitlements to access this data? Having a proper repository containing this information is therefore necessary. It should also be a requirement for organisations to log the reason why access is given to individuals or third-party organisations. This entitlement and the automated process to revoke these rights, if they're not appropriate anymore, isn't just optional – it has become standard procedure. 

“The final piece missing in the jigsaw is “who gained unauthorised access.” Once an organisation knows what is being done, whom it's being done by, and the entitlements that are needed to perform such an action, it will have a clearer picture of how the breach occurred. Gaining unauthorised access to certain systems means that, at one point during this incident, policies were not enforced, which made the breach possible. Therefore, it is vital that organisations understand the infrastructure that is in place, who's able to access the system and the operating powers that these individuals hold. This can greatly reduce the threat of an attack going forward.”

And so, another day, another breach.