Shocking Lack of Encryption Exposes Data

Update 8/11 – Ten potential class action lawsuits have now been filed against the Tea app, each one accusing developer Tea Dating Advice Inc. of negligence in protecting their users’ sensitive data.  Tea risks having to pay tens of millions in damages if the suits are successful.

—————————————————————————

Well, this headline sure blew up quickly.  It’s a story of absolute absurdity, for how little effort the cyber criminals needed to pull off a data breach of Tea, a dating advice and safety platform exclusively for women – and a second breach on top of that.

Four million users: this was the number of active users touted after a measly week on the Apple Store.  Rather than provide the promised protection for its users, however, the app developers left their data storage completely unencrypted, unprotected, just sitting there out in the great wide open for anyone strolling by to see.  Which is precisely what happened – a case of security failures leading to exposure of private chats and personal data for tens of thousands of users.  All the bad actor had to do was provide a link to the database, including such personally identifiable information (PII) as selfies, driver’s licenses, and even some private messages.  Possibly 70,000 images were exposed, if not more, while some of these messages, part of a legacy data storage system, were as recent as a week prior to the breach, despite initial claims from the developer that they were two years old.

With the UK now demanding photo IDs for the most basic of Internet traffic, and other countries looking to follow, the danger of uploading personal photos leading to doxing is primed to explode.  It is a bit of controversial irony that the app itself allowed users to share photos of others, as well as linking profiles to social media accounts and more.

And yet, as I said before, protection for everyone involved here was nonexistent.  I’ve read other articles that use the words “hack” and “hackers” for this incident.  But can you really call something a hack when there was zero encryption of sensitive data to guard it from bad actors?  Is a building broken into if all the doors and windows are left wide open, with an absence of any other security measures? 

Diction aside, what it really comes down to at heart is a startling lack of protection for vital data.  Leaving information out in the open, practically begging cyber criminals “please, come take it,” is an invitation people were only too happy to accept.  Why is data encryption important?  Because it scrambles readable data into an unreadable format using an algorithm and an encryption key, and only someone with the correct decryption key can transform it back into its original form.  NetLib Security’s transparent data encryption (TDE) solutions are an easy and cost effective way to proactively protect your data.  This is a breach that could have been avoided by encrypting the data storage systems containing the valuable data users entrusted to the app.  Though the company insists on having fixed the data issue by now, it seems too little, too late: that tea has definitely been spilled, and it’s a flood.