By Katie W. Johnson
Online daily deal company LivingSocial Inc. has contacted more than 50 million customers whose information may have been compromised in a recent cyber-attack, a company spokesman told BNA April 29.
“The information accessed includes names, email addresses, date[s] of birth for some users, and encrypted passwords--technically 'hashed' and salted' passwords,” the company said in an April 26 email to customers. “We never store passwords in plain text.”
However, “[t]he database that stores customer credit card data was not accessed or affected by the attack,” Andrew Weinstein, a spokesman for LivingSocial, told BNA.
LivingSocial added in a security notice on its website that the database that stores the financial and banking information of its merchants was not affected.
The company said that it is working with law enforcement agencies to investigate the attack.
Connecticut Attorney General George Jepsen (D) and Maryland Attorney General Douglas F. Gansler (D) have asked LivingSocial for more information about the possible impact of the data breach on consumers, according to a May 2 statement by Jepsen's office. The attorneys general have asked for a timeline of the incident; the number of affected individuals in each state; the types of data compromised; any reports or complaints about unauthorized charges; and a description of the company's security protections.
“For the business, [the attack] is a tremendous confidence shaker, as it likely will lead to people becoming more reluctant to use this service,” Kirk Nahra, partner at Wiley Rein LLP in Washington and a member of the advisory board for BNA's Privacy & Security Law Report, told BNA April 29. “These kinds of breaches also can have a broader impact on internet commerce in general, putting pressure on all businesses to beef up their security and address potential customer concerns.”
LivingSocial said on its website that it does not believe that any customer accounts have been compromised as a result of the attack. “It is difficult to decode a password that has gone through the hashing and salting process, and we have not received any abnormal reports of accounts with unauthorized charges or activity,” the company explained.
“What this means is that our system took the passwords entered by customers and used an algorithm to change them into a unique data string (essentially creating a unique data fingerprint)--that's the 'hash',” LivingSocial said. “To add an additional layer of protection, the 'salt' elongates the password and adds complexity.”
“This breach is a reminder of how much information is available on the internet and how precarious it can be,” Nahra said. “At a minimum, this breach involves a variety of data that can be packaged to learn a lot about people, including a variety of information that could lead to areas of concern … .” For example, he said, the attack could lead to the discovery of additional information, such as businesses that a LivingSocial customer has patronized.
In addition to increasing its monitoring of customer accounts, LivingSocial retired the passwords of affected customers and directed them to create new ones. It also encouraged those customers to consider changing their passwords on other websites where they use the same or similar passwords.
LivingSocial is notifying customers of the cyber-attack in every country in which it operates with the exception of South Korea, Thailand, Indonesia, and the Philippines, Weinstein said. The company's subsidiaries in those countries store their information on different servers, he explained.
“The security of our customer and merchant information is our priority,” LivingSocial Chief Executive Officer Tim O'Shaughnessy said in a notice to employees provided to BNA. “We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.”
LivingSocial's customer notification and password change instructions page is available at https://www.livingsocial.com/createpassword.