Finnish mobile phone vendor Nokia is the latest big-name company successfully penetrated by hackers. The company recently began notifying the public about a data breach that released information pertaining to developers who have created mobile applications for the company's phones.
Nokia released a notice on the breach earlier today, admitting that the company was victim to a security breach targeting a developers' discussion forum. Through a targeted SQL injection attack, hackers were able to access a database containing Nokia developers' personal information, which was initially submitted to register for the forum, the notice explained.
"During our ongoing investigation of the incident we have discovered that a database table containing developer forum members' email addresses has been accessed, by exploiting a vulnerability in the bulletin board software that allowed an SQL injection attack," the Nokia Developer website team wrote in the notice. "Initially we believed that only a small number of these forum member records had been accessed, but further investigation has identified that the number is significantly larger."
Although the scope of the breach appears to be smaller than some other similar high-profile issues, Nokia responded swiftly and adequately. The company clarified in its notice that its investigation has not found any evidence that credit card numbers or other personally identifiable information has been accessed. Furthermore, the breach is believed to have only involved email addresses, birth dates and usernames for AIM, ICQ, MSN, Skype and Yahoo accounts. This is limited to the fewer than 7 percent of the Nokia discussion forum members who have provided such information, the company explained.
Nokia has also taken the proper data security steps in response.
"Though the initial vulnerability was addressed immediately, we have now taken the developer community website offline as a precautionary measure, while we conduct further investigations and security assessments," the statement explained. "We hope to get the site back online as soon as possible and will post developments here in the meantime."
So far, the only use of the information is believed to be unsolicited messages, such as spam and spear-phishing attacks, sent to the accessed email addresses, Nokia added.
Nokia's prompt and thought-out response to a breach that may not actually lead to identity theft or financial loss may be a sign that large companies are learning from the incidents of months past. For example, even after a crippling hack put its massively popular PlayStation Network out of commission, Sony was targeted with several follow-up attacks, indicating that the company's data security standards were weak across the board.
The case at Sony reverberated throughout the IT industry and brought data protection to the forefront of concerns in both the public and private sectors. And, if some U.S. lawmakers have their way, a quick response to data loss will not just be commendable, it will be mandatory.
Legislation recently proposed by U.S. Representative Mary Bono Mack of California, titled the Secure and Fortify Electronic Data Act – aptly called the SAFE Act for short – is meant to force companies to notify consumers when their information may be at risk. Bono Mack, citing the high rates of identity theft at the hands of cybercriminals, emphasized quick notification as the most effective protective method.
"My legislation is crafted around a guiding principle – consumers should be promptly informed when their personal information has been jeopardized," she said in a statement. "The time has come for Congress to take decisive action. We need a uniform national standard for data security and data breach notification, and we need it now."
The legislation has already started moving through Congress and is not the only effort to restructure data breach notification regulations in the United States. Separately, Senator Richard Blumenthal from Connecticut has endorsed legislation aimed at simplifying compliance across the country. Current mandates differ based on industry, state and local ramifications, and they have been known to cause confusion for the companies subjected to them. Blumenthal, along with several other lawmakers, is looking to establish federal laws that all companies and organizations will fall under in order to make it easier for companies to know when they do and do not need to notify the public of an information security threat.
Until more businesses and organizations can improve their data protection standards to ward off the threats against them, the focus appears to be on how fast they can inform the victims and clean up the mess. And Nokia is a sign that some of these large organizations are willing to comply.