Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Dropbox security breach proves service is not enterprise-ready

Could the incident be the wakeup call Dropbox needed?

Article comments

The Dropbox file-sharing service suffered a setback in its efforts to move into the enterprise more forcefully after being hit by a spam attack that stemmed from the breach of an employee's account.

Dropbox confirmed Tuesday that a stolen employee password led to the theft last month of a "project document" that contained user e-mail addresses. With addresses in hand, the hacker then proceeded to spam European users of the cloud-storage service with ads for gambling Web sites.

In investigating the theft, the company found that usernames and passwords stolen from other Web sites were used to access "a small number" of Dropbox accounts, an indication that account holders were using their credentials on multiple sites. Experts consider that practice a serious security risk, because hackers often use stolen credentials to enter other services.

Although some spam recipients claimed to use unique email addresses for Dropbox, the company said its investigation showed its internal systems had not been hacked. Nevertheless, the spam attack has not helped the company in its efforts to be seen as more than just a free consumer-oriented service. That effort started last year with the launch of a paid business service called Dropbox for Teams.

"I am doubtful that they are enterprise-ready at this time," said John Kindervag, analyst for Forrester Research. "Their focus and incentives are not yet properly aligned."

Others agreed that Dropbox still has a ways to go. "Dropbox has had a checkered history with security, but perhaps this was the wakeup call they needed," Chester Wisniewski, senior security adviser for Sophos, said in an interview via email.

Dropbox has said it will beef up security in light of the breach. The company soon plans to introduce a number of new controls, including two-factor authentication in which a temporary code would be sent to a user's mobile phone.

Other security upgrades include a new page that shows logs of user activity and other automated mechanisms for identifying suspicious activity. Dropbox may also start prompting users to change passwords that have been in use for a long time.

While Dropbox's security plans are likely to be welcomed, the bigger problem for businesses is that workers use such cloud-based services - without a corporate okay - to store sensitive documents that could violate compliance laws or internal data privacy rules, Kindervag said. Dropbox would not be the place to store such information, because the site doesn't provide businesses with adequate levels of control, such as auditing of data and tracking who got the information and what was done with it.

"While I certainly understand that users often feel like they need to do things to get their job done, they need to think about the security implications," Kindervag said. "Dropbox, from my perspective, is a very consumer kind of solution."

Despite the security risks, more employees in the future are expected to use services, mobile devices and other new technologies outside the control of IT departments. Gartner predicts that in less than three years, 35% of enterprise IT expenditures will occur outside of the corporate budget. As a result, many experts advise companies to abandon their command-and-control strategy and adopt a more cooperative tactic to deal with workers looking for the easiest way to get their jobs done.

Dropbox's changes should improve security to users' accounts, and other companies such as Google, Facebook and Microsoft, have already implemented many of the same features, Wisniewski said. As an added precaution, users of cloud-based storage should rely on tools, available from security vendors, for encrypting data before it is stored in the cloud.

"Personally, I don't store anything in the cloud that I wouldn't want publicly accessible unless it is encrypted," Wisniewski said.

Dropbox is one of many free or low-cost file-sharing services available to consumers and businesses. Competitors include ADrive, Box.net, Flickr, Carbonite, Google Gmail, Mozy, SugarSync and YouSendIt.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *