In recent news, Cisco Live 2010‘s attendee list was hacked due to a security breach. The first questions everyone has after a breach are:
What was taken?
How was it taken?
Who took it?
How do we keep this from happening again?
We don’t know all the answers at this point as it would appear, Cisco doesn’t really even know what all was accessed. Regardless, this got me thinking about perception of low-impact theft in the cloud. In this case, it is very likely that Cisco, hopefully, was only storing names, e-mails, companies, and common Linked-In-type information. Regardless, as companies look at ways to off-load mundane services to Cloud providers, what if this information begins being used for other nefarious purposes?
While contact information might seem a lot less valuable to the traditional cyber-criminal, in terms of corporate espionage, it can be a Holy Grail. Imagine if a sales-focused organization‘s SalesForce.com information is compromised, what all information are they keeping on their customers and potential customers? What would happen if their rivals had access to that information?
While the move to cloud-based services is no less secure (and in some cases more secure) than a traditional enterprise security posture, we need to be asking questions at all times about how our data is being protected. What could be a simple contact list, could lead to public embarrassment, civil liability, and may lead to more problems.
