Actu
CBS Sports Data Leak - expert comments
April 2016 by
According to CNBC, Wandera, a provider of security and management for mobile data,
said it, “found a data leak on the CBS Sports app and mobile website during the
college basketball tournament, allowing user data to possibly be compromised.”
Apparently, Wandera engineers were tracking data across various sports applications
in advance of the tournament when they noticed unprotected data from CBS coming
across its cloud service.
While CBS Sports denies an actual breach, Wandera says that anyone who accessed the
app from their mobile device on a public Wi-Fi could be exposed due to CBS Sports
failing to properly encrypt its site and app, which holds users’ sensitive data.
Dodi Glenn, VP of cyber security at PC Pitstop says there are a few things to note
here. "First, the developer behind the application more than likely is not CBS -
often times, large corporations will contract with someone to create an app. In
this case, whoever the developer is, that’s the company that should be making
comments on the vulnerabilities found. Second, rather than dispute the findings,
the developer should work with the research company (in this case, Wandera) to find
out why they are making the claims, and resolve it. Third, the research company
should always give a window of time for the company to do their own investigation,
and use responsible disclosures. Finally, it is one thing to have a breach, and
another to have vulnerability. Just because there was a bug in their app, doesn’t
mean that someone siphoned data from their servers.
Eldon Sprickerhoff, chief security strategist of eSentire says, “While it’s
possible for unencrypted Wi-Fi traffic to be sniffed (e.g. while you’re using a
local cafe’s hot spot), this doesn’t necessarily lead to a data breach. In this
case, it’s more likely that someone’s credentials could be exposed when the user
logs in. Encryption is essential to websites that require authentication to prevent
data leakage, but especially important when the network medium is not secured (such
as Wi-Fi). Without encryption, companies may expose themselves to this type of
unwanted publicity - where some can claim that they are not taking due care of data
that clients entrust to them.”
KnowBe4 CEO Stu Sjouwerman says, “Wandera said CBS Sports failed to properly
encrypt its site and app. Human error is not always an end-user clicking on a link
or opening an attachment - it can also be a software engineer who does not follow
secure coding procedures. Apparently, that was the case in this incident. Any
organization needs to have Policy, Procedure and Awareness in place to be as secure
as possible and a hard target for hackers.”
