Here we go again. While it’s hardly a surprise to me, another “cloud” service has been confirmed compromised. After notifying customers and downplaying the potential threat to their data, Dropbox drops the big one – yup, they were compromised, yup, hackers gained access to “a small number” of customer’s accounts and data, and how do they handle the announcement? Well, they hide it in a “new features” announcement of course! See the post on their blog here: [blog.dropbox.com]
So what can we learn from this example?
Cloud providers are companies
Let’s pretend for a moment that you own a company that has tens of millions of customers relying on you to keep their data secure. From humble beginnings, you grew with the help of investors to what you are today in under 5 years. You’ve been featured on Forbes magazine, heck, they even named you named “Tech’s hottest startup” [forbes.com]. Now here’s the problem, you have a history of security flaws – like this one and this damning article here too. So today, you wake up to your super cool Blackberry (heh) buzzing away like crazy. What could this be? Oh great, customers are reporting some bogus targeted phishing scam. No big deal – except when you make it into the office, things start to fall into focus. It looks like this might just be a real deal compromise. Someone, somehow seems to have obtained a fairly substantial list of valid customer names. So what do you do?
If you answered downplay it like there’s no tomorrow, then promise a full investigation, then congrats, you’re thinking like a business owner in full damage control mode. And guess what? That’s just exactly what happened! First, as mentioned above, users noticed they were getting some very targeted phishing attacks two weeks ago. After a week of complaints, DropBox semi-officially acknowledged that some email addresses had been leaked. They were quick to follow up with some great news no one had accessed any accounts! Yay! That security team we hired said they hadn’t found anything yet.
But wait!
Just kidding! Yeah, actually DropBox was compromised, and awesomely enough, some accounts were accessed, and yup, some hackers were able to get data out of those accounts. Of course, since you don’t want to just announce something like that without a fix, customers were kindly left to wait around for what we can only assume was at least a few extra days while DropBox figured out some super great new features in response to the issue! So don’t worry, it’s all good now (riiight). Here’s the full blog post if you choose to read it. Security update and new features. If you look back on that blog, you’ll notice a few things.
- They only used their official blog to mention that they had a “security update” AND added new features. Good marketing work there, wouldn’t want to alarm your customers or investors, DropBox.
- Looking back, you’ll probably notice that the blog was never used to announce ANYTHING about the breach until now. Oh, but they added OS X Lion support on the 25th, so cool beans.
- We can only assume they located the actual point of entry and have resolved the issue by now. Let’s just hope, since I doubt they’ll ever mention this little boo boo again.
Believe it or not, DropBox is a company, and companies are primarily concerned about how to make the highest profit possible. This is how businesses work. So every time you decide it might be cheaper to have someone else store your data, just realize that their goal will be to make money AND store your data. In other words, unless you’re getting some additional services you couldn’t otherwise get without them, you could probably do it cheaper on your own.
So here’s where the problem lies: Cloud providers are bigger targets than your small/medium business or home. If a hacker can find a way in to Microsoft’s cloud, or Amazon EC2 or DropBox, or GoToMyPC or any of the other thousands of Cloud services out there there, then they also get access to all of the data that respective service controls. And THAT is way more interesting than plucking away on a few computers or individual targets at a time. They may have slightly more competent security, but the payoff is huge if just one hacker gets in. So go enjoy your cloud services, I’ll be keeping my data on my own systems where I know exactly who has access to it and when.
