Same data breach, different platform. This time Instagram and Google G Suite have been caught. In both cases, unprotected data was stored in the cloud that was easily accessible by third parties. Once again, the question remains: how can companies still be so alarmingly negligent with their users' data? More importantly, what else needs to happen to finally change the way sensitive data is handled?
In the case of the Instagram data leak, 49 million entries of known Instagram influencers were apparently stored in a database of a marketing company in India. The file was stored unprotected on an AWS (Amazon Web Services) server and therefore publicly accessible. This negligence was first discovered by a security researcher.
E-mail addresses, profile pictures, profile descriptions, telephone numbers and even the locations of some users were publicly accessible. Food bloggers, celebrities and other influencers were particularly affected. But the list also included data on users who had not cooperated with the Indian company. The company has yet to comment on this. After the data leak was discovered, the company switched off the servers completely. An examination of who is actually affected remains impossible for the time being.
At Google, passwords were stored in plain text in the G-Suite cloud between January and May 2019. According to Google, only business customers and no private Google accounts were affected. The error occurred in G Suite's admin tools for resetting passwords. Since 2005, it appears that copies of unhashed passwords have been stored. This feature was allegedly used inadvertently in January. According to Google, however, the unprotected passwords were stored in an encrypted environment. Let's hope that this is true and that the Google G-Suite passwords won't appear anywhere on the net in the near future.
Corporate managers and Data Protection Officers still too often ignore the fact that the protection of personal data cannot be delegated. According to the European Data Protection Regulation (GDPR), top management is and remains responsible for this and is personally liable with the private assets. It is therefore time for the European data protection authorities to finally tighten the reins.