A cloud storage and file hosting provider has released a security update to address vulnerabilities that could have exposed data, even though the data had been encrypted. New Zealand-based, MEGA, has over 250m registered users from over 200 countries and users have uploaded 120bn distinct files. The report says the vulnerability is highly complicated for outsider threats but not as challenging for rogue MEGA employees.
Thankfully it appears no accounts were comprised before the security update. Researchers 1 - 0 Hackers. Nevertheless, this is the kind of story that would keep the average CTO, CIO or CISO awake at night. Is everything in order?
- Strong approach to security? Cyber Essentials? ISO27001? Appropriate technical & organisational measures to protect data?
- Registration with the appropriate regulator?
- Contract with the supplier containing robust obligations including indemnities for data breaches?
- Action plan to minimise the potential damage from a data leak?
- Insurance cover?
Of course, there's only so much diligence you can do on your provider and you can't make everything 100% safe. But you should remember not all businesses recover from a data leak. How sure are you your data is safe?
If you need advice, contact me firstname.lastname@example.org or +44 (0) 20 7611 2338.
Researchers have shown that vulnerabilities in the encryption algorithm allowed them to access users' encrypted data