Dropbox security breach revealed

Dropbox’s Vice President of engineering has admitted that the spamming of many of the cloud service provider’s clients in recent weeks has been traced to an employee password re-use breach: Cryptzone says this highlights the dangers of using the same password for both business and personal usage.

“Most governance experts – ourselves included – will tell you to use different passwords for different systems, but this case is one of those “wake-up-and-smell-the-coffee” moments for IT security professionals, as it shows the need to also keep passwords separate for work and personal internet activities,” said Grant Taylor, European Vice President of Cryptzone, the IT threat mitigation specialist.

“We would go further and argue that people should not be using Dropbox for many business purposes. CISOs and compliance managers would be horrified to know that confidential data was being moved out of the organisation’s sphere of control. Free services by their very nature don’t have the features to facilitate corporate control and management.”

The problem here, the Cryptzone European VP says, is that members of staff, particularly the young, tend to blur the lines between work and play – and whilst it is perfectly understandable for them to use the convenience of a service like Dropbox to access work files at their leisure, their managers need to explain that when it comes to corporate data, such practices simply are not acceptable in today’s regulatory environment.

If corporate information is moved to personal accounts in contradiction to corporate policies, you’re dead in the water as far the boss is concerned. Apart from disciplinary action for the individual, their employer could be looking at investigation from regulatory bodies possibly resulting in severe fines. So when seeking to improve work/life balance, don’t just think convenience, think risk, he says.

Dropbox says it has plans to roll out additional security measures that should help users protect their Dropbox accounts even if users (or employees, assumedly) lose account passwords, including two-factor authentication (Dropbox says this will be coming “in a few weeks”), and new automated mechanisms to help identity suspicious activity, as well as a page that lets users examine all active logins.