This week saw music streaming website Spotify announce that it had experienced unauthorised access to its systems and internal company data.
In the wake of the eBay breach, it said that there had been no compromise of user’s financial data, as a warning a portion of its 40 million users will need to re-enter, but not change, their login credentials while users of the Android app would be forced to upgrade.
Oskar Stål, CTO of Spotify, said that only one Spotify user’s data had been accessed, and this did not include any password, financial or payment information. “Based on our findings, we are not aware of any increased risk to users as a result of this incident,” he said. “As soon as we were aware of this issue we immediately launched an investigation. Information security and data protection are of great importance to us at Spotify.”
This fresh breach showed once again that web-based services can be as vulnerable as the retail and services divisions who have suffered at the hands of hackers in recent months. The industry naturally had some interesting views, here is some of what we heard.
Ross Brewer, vice president and managing director of international markets at LogRhythm
These breaches just keep on coming! It really does suggest that many businesses still don’t have the defences in place to deal with today’s escalating threats, or hackers are simply becoming more creative to get what they want. Either way, organisations need to up their game.
While this Spotify attack appears to be relatively minor in terms of customer impact, particularly when compared to last week’s eBay furore, it still raises questions about how equipped these companies are to keep our personal information safe.
Spotify’s statement makes no reference to when the compromise was discovered, simply that it acted immediately. Given only one user’s data appears to have been accessed, one has to question whether this announcement is a knee-jerk reaction to the criticism surrounding eBay’s slow disclosure. Whatever Spotify’s reasoning, the organisation has to be commended for shrugging off the stigma attached and ensuring the breach didn’t reach the catastrophic proportions of others like it. Before the EU initiates 24 hour breach disclosure laws for all sectors, all businesses should be following this lead to proactively reassure customers. We live in a time where the threat of legal or financial ramifications should not be the only motives for keeping data safe.
Keith Bird, UK managing director at Check Point
Spotify has done the right thing by responding so quickly and thoroughly, even though it seems just a single user was affected. This way, it has alerted its user base about what has happened, and how it plans to upgrade its security to better protect users’ details.
It would have been easy for the company to quietly issue a software update to address the issue without informing subscribers about the breach, but they’ve taken a responsible approach and I think people will welcome this. It will certainly help to ensure that more users apply the upgrades when they are available.
Dwayne Melancon, CTO Tripwire
Had this been as simple as one user over-sharing their login credentials, it would not warrant an all-user notification. Given that Spotify claims that only one user’s data has been compromised, I suspect this was achieved via a re-usable, broadly applicable attack method perhaps affecting older versions of the Spotify app.
My guess would be that someone demonstrated a proof-of-concept attack for the Spotify team and that constitutes the single known affected user. Users, partic
ularly on the Android platform, should follow Spotify’s recommendation and ensure they are running up-to-date software.
Raj Samani, CTO EMEA at McAfee, part of Intel Security
With billions of connected devices coming online, security is of paramount importance. What is worrying is our continued reliance on the single factor of authentication that is still being used to protect our data, there is an urgent need to move away from passwords which are proving incapable of protecting our digital assets.
Phones have cameras that could be used for facial recognition, and microphones that could be used for voice recognition so the technology exists, adding just one of these alongside a password would make security much stronger.
Peter Armstrong, director of cyber security, Thales UK
The news that Spotify is the latest firm to suffer a breach of its user data shows that the basic lessons on information security laid down by the Data Protection Act are not necessarily being learned.
A perimeter-based approach to security based around firewalls and defensive controls around the IT network is no longer sufficient – organisations need to rethink their approach to information security and take care to classify and protect data itself according to the sensitivity of that information.