Thursday, March 5, 2009

Spotify - You don't know what you've got til it's gone


I only registered with Spotify on Monday.  Since then I've become hooked.  Records that have been boxed under the stairs for a couple of decades are being played again courtesy of this virtual jukebox. How could I live without the Faces' A nod is as good as a wink to a blind horse or Joni Mitchell's Ladies of the canyon?

Then today it was reported this record streaming site had been hacked, with personal data of thousands of its users being stolen.

A Spotify spokesman explained the extent of the data taken.

"Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed," Spotify said. "Credit card numbers are not stored by us and were not at risk."

According to John Lister:

"The attack affects the estimated 10,000 accounts which were created on or before December 19 last year. Spotify found and fixed a security bug on that date, but has only just discovered people were able to exploit it."

This story highlights the importance of website users being aware of the potential for hacking of their data and the need for them to avoid using the same password on every site they use.  However, we should also expect companies, and particularly those that only operate online, to make appropriate information security arrangements.

According to the latest UK Government Information Security Breaches Survey (2008), companies still have a way to go in taking information security seriously. For instance, 52% do not undertake formal security risk assessments; 48% of disaster recovery plans are not regularly tested and 21% of companies spend less that 1% of their IT budget on information security.

Of course, users should be careful in their selection of usernames and passwords, but we should be able to expect better than this from digital media companies.

A few years ago now, the UK bank Smile was able to boast that it was "the first UK online bank to be accredited with the ISO27001 Information Security certification. That means we have an extremely secure Internet Banking service."  

It is about time that all online businesses woke up to the importance of information security and put in place the safeguards required to gain ISO27001 accreditation.

No comments: