MY SAY: Data breaches reinforce web risks

NEXT year is likely to be the year organisations focus on communicating with customers.

Whilst one could argue that this is always a focus for some, the difference will be that in 2017 what is said to customers will be made public for those that have to report data breaches.

Mandatory data breach legislation is pending on both sides of the Tasman.

Let's take Yahoo for example. Yahoo does operate within countries that do have mandatory data breach notification legislation.

That's why we know about these events.

Their latest public release on their latest data breach is worth taking a closer look.

Their release has been penned by Bob Lord, their CISO, which means chief information security officer.

This gives you a good sense on whether translation is needed, because most wouldn't know what a CISO means.

It's clear that Yahoo is becoming experienced in communicating with customers impacted by data breaches.

Their latest statement hits three really important requirements in communicating: (1) What happened? (2) What are we doing to protect our users?; and (3) What can users do to protect their account?

This is a good start, but the wheels start to fall off when we look at the IT speak used to explain to users what's happened.

For example, Bob Lord explains that the stolen information "did not include passwords in clear text", that a "third party accessed our proprietary code to lean how to forge cookies", but we have since "invalidated the forged cookies". Now it's important not to interpret Bob Lord as meaning last-minute Christmas baking at Yahoo has taken a turn for the worst.

Passwords in the "clear text" means passwords that are displayed on a screen when you type them in, as opposed to concealed, such as dots appearing when a password is typed.

What about "forged cookies"? Every time we visit a website we leave a trace of this visit, and this trace is called a cookie. In fact, it works the other way in practice.

The website leaves a cookie with our device.

This happens behind the scenes and is suppose to help those who operate a website understand more about the people visiting them as well as help visitors improve their future engagement - such as not having to go through the rigmarole of proving your identity again because the website knows you (and their cookies).

Therein lies the Yahoo hack vulnerability.

By forging cookies, email accounts are exposed to being hacked because an attacker can impersonate a user, and gain information and perform actions on behalf of that user.

If you are a Yahoo user and have concerns, go to www.idcare. org for the latest advice.

David Lacey is managing director of IDCARE and Professor in Cyber Security at the University of the Sunshine Coast.