Sadly, not every internet cloud has a silver lining

I like the convenience of cloud computing. I work from home frequently and it's convenient to keep some files in the cloud. I used to use a USB stick for mobile file storage until I left it in a lecture theatre and lost the latest version of something I drafting. The cloud is always available so now my data can't be left behind in a room. I'm currently collaborating on a project that requires me to share various versions of files with three others. Sharing files, making sure we are all using the latest version, is also easier in the cloud rather than via email.

I use dropbox.com. This is a popular site. According to thinq.com, "25 million users save more than 200 million files on dropbox every day.

Yesterday, Dropbox announced that:

"... we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at support@dropbox.com.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."

Based upon Thinq.com's estimates, this "very small number of users" equates to approximately 250,000 Dropbox account holders. Not such a small number some would argue.

What issues does this incident raise:

1. Firstly, on the internet, as on corporate servers and home computers, there are always threats to data security. The category that usually gets mentioned the media is malicious attacks such as hacking. But, human error, such as typified by this story, is another significant category.

2. When internet-based companies undertake a risk analysis, they should never underestimate the impact on reputation. Take these two comments posted by users on Dropbox's blog:

"Dropbox, what are you doing? You're screwing up your brand and reputation."

"The effect is not on data security but on PERCEPTION of data security. I am trying to convince not-for-profit boards/committees and small companies to get onto cloud-based solutions for info sharing & productivity gain. I am already dealing with 'oldies' who are still coping with email. This will send the debate backwards 6 months."

3. It highlights the importance of program and systems testing. This is a key operational system for the Dropbox company and they might be advised to take a cautious, risk-adverse approach to this type of system. That means clear identification of the problem, a good change control system, and exhaustive testing before putting the the amended code live. This issue was also identified by those commenting on the Dropbox site:

"Hey Dropbox, it's all about QA'ing that code, boys & girls. We've all made mind-numbingly stupid errors, but with systems that touch as many people as yours, you have to test for stuff like this."

"It was a inexcusable bug, not an attack or something like that. Nobody is perfect but a few things are inexcusable because such a simple but serious bug simply shows carelessness and missig unit test. It is that simple."

It seems that, sadly, not every internet cloud has a silver lining.