CSO Online reported that 200,000 valid Comcast login/passwords were offered for sale on a Dark Web marketplace. Comcast has prospectively required password resets for all 200,000 accounts, a reasonable response. How did Comcast learn of existence of the list? Through the Good Samaritan actions of security researcher @flanvel, and the subsequent coverage at CSO. Now, I know bug bounties are all the rage, but you wouldn’t rely solely on “the crowd” to find your vulnerabilities, or APTs, or Insider Threats, or compromised social media accounts. You hire Qualys, Tanium, RedOwl, and ZeroFox to help you do it proactively and professionally.
Why is it still okay to wait for a researcher, the press or the FBI (or bad actors!) to tell you your sensitive data is floating around the Dark Web? How much longer will that practice be accepted? These questions are not brand new. They motivated the founding of Inner Loop portfolio company Terbium Labs, “way back” in 2013. Today Terbium is convincing the market one enterprise and one industry at a time that this practice needs to evolve, with some strong early success.
The reason the Comcast dump represents a new front is that Comcast insists the data did not come from a breach of their systems. There is some skepticism of this claim, but for now let’s take them at their word. Comcast’s customers’ data are for sale, Comcast feels some responsibility to protect it, and yet they are not the ones who lost it.
Any Comcast security or privacy officer surely recognizes the massive increase in the scope of their responsibilities that just implicitly occurred. They now are accountable to protect Comcast customer data wherever it is and however it got there. Securing your perimeter or your endpoints is no longer enough. You now have to secure the entire data universe, including the Dark Web.
As I explained back in May, this is what was fascinating about Cyota (acquired by RSA) and ZeroFox (funded by NEA.) They help customers secure not the finite space of their own networks, but the near infinite space of all of cyberspace. Or at least try to. Or at least provide a better, systematic approach to that problem. There is no “perfect security” in these scenarios (or others!), but alternatively the bar is set so low by current “best” practices, these companies can add a lot of value, even early in their product life cycles.
Now that Comcast has implicitly committed themselves — and by extension all their peer companies — to monitoring the Dark Web for their customers’ information, I am sure they will be developing a plan to do that other than waiting for @flanvel to alert them again.