CHICAGO - Customer information collected by three companies, including such household names as McDonald's Corp. and Walgreen Co., has been compromised in recent days.
The incidents highlight the issue of how vulnerable that information is, especially when consumers, overwhelmed with the number of online logins they need, use "dumb" passwords for their accounts, experts say.
Recent breaches contained such information as names and e-mail addresses. They did not involve crucial personal information, such as Social Security, bank account and credit card numbers, the companies said. In Walgreen's case, medical prescription information was not stolen, the company said.
McDonald's on Monday notified some customers that information they provided on the fast-food company's Web site or in promotions "was improperly accessed by an unauthorized third party." Information might have included name, mobile phone number, postal address and e-mail address. McDonald's said it hired Arc Worldwide to coordinate its e-mail promotions. Arc, the marketing services arm of Chicago-based Leo Burnett, then hired another company to manage the e-mail list. It was that company, which Arc and McDonald's would not name, that sustained the breach.
Gawker Media, operator of numerous Web sites, said its registered users' usernames and passwords were hacked over the weekend. Though passwords were encrypted, they're still vulnerable and should be changed, the company said. The danger comes if people used the same logins for a Gawker site as they do for all their accounts, including financial accounts. Gawker operates the Web sites Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9 and Fleshbot. The Gawker breach led to spam postings using some victims' Twitter accounts.
Walgreen on Friday said customers subscribing to the drugstore chain's e-mail distribution list should be on the lookout for spam directing them to another site and then asking for personal data. That was due to "unauthorized access" to its e-mail list. E-mail addresses only were compromised, not names, a Walgreen spokesman said Monday, declining to provide further details of the breach.
"The McDonald's, Walgreens and Gawker incidents should be a wake-up call for everyone," said Rob Fitzgerald, president of the Lorenzi Group, a digital forensics company.
Andrew Storms, director of security operations for nCircle, a network security and compliance auditing firm, said data breaches are on the rise.
"Unfortunately, consumers don't pay much attention to breach disclosures, even for large brands, because there are so many of them," he said.
In fact, 63 percent of organizations reported experiencing at least one security incident or breach during the past 12 months, according to the Global Information Security Trends study by the nonprofit trade group Computing Technology Industry Association.
"More troubling is the feeling that the severity level of breaches has increased over the last several years," said Steven Ostrowski, spokesman for the association. "Attacks that in the past that may have been done for sport or notoriety are now being done more frequently with criminal intent or financial gain in mind."
For consumers, one danger of stolen names and e-mail addresses is "phishing." Thieves can create and send e-mails that look like they are from legitimate businesses, such as a bank, and contain your name, trying to trick you into divulging more personal information, which can be used for more serious frauds.
Ultimately, the biggest problem is that people are too trusting and offer too much personal information, said Mike Meikle, chief executive of the Hawkthorne Group, a security consulting firm.
"The weakest link is the person using the device or piece of software," he said. "It's just about having a healthy skepticism. It's kind of a sad situation, but you have to kind of give everyone the eye. It's just the way it is."
And so many people use the same or similar usernames and passwords for all their accounts that they're easy to hack, said Graham Cluley, senior technology consultant for information security firm Sophos and operator of the Naked Security blog.
"People choose dumb passwords, like 'password' or 'letmein' or the brand of monitor they're looking at," Cluley said. Instead, they should use a random password for each site, rather than words in the dictionary that are easily hacked.
Because it's unwieldy to manage those, consumers should use password storage software. There are many examples, but free programs include LastPass and KeePass, he said.
"People really should be using those," Cluley said. "We are seeing more and more criminals understanding the value of this kind of data. And these organizations have to start learning their lessons as well. ... It's alarming that these organizations aren't encrypting the data."
Still, there's a danger to being overly alarmist about security, said Laura Heymann, an associate professor of law at The College of William & Mary who specializes in computers and the law.
"E-commerce would grind to a halt if consumers stopped disclosing basic information to companies as a result," Heymann said. So companies should report data breaches to customers promptly and take steps to minimize damage, she said.
"Consumers, for their part, should ensure that their passwords are robust and that they are appropriately suspicious about any request for their personal information," Heymann said.
- Create safe passwords. Use strong passwords that aren't real words. You might use a mnemonic device taking the first letter of a favorite phrase, lyric or poem, said Graham Cluley, senior technology consultant for information security firm Sophos. A Civil War buff might use the Gettysburg Address, "Four score and seven years ago our fathers brought forth," which becomes 4sa7yaofb4th.
- Use password keepers. Generate random passwords with software that remembers them for you. Read the privacy policies of any password software you use.
- Don't use an obvious pattern to your passwords. For example if your Yahoo account password is "Yahoo," and your Google account password is "Google," then it follows that your Walgreens password might be "Walgreens," said Andrew Storms, director of security operations for nCircle, a network security and compliance auditing firm.
- Don't divulge your passwords. E-mails appearing to be from companies requesting your password are probably fraudulent.
(c) 2010, Chicago Tribune.
Distributed by McClatchy-Tribune Information Services.