Friday, April 4, 2014

Evernote: Security Breach (2013)

Controversy
Evernote website logo

With the rapid advancement of technology, our nations companies have to keep current, making sure that they utilize the newest and greatest technologies. The company Evernote was trying to do just that; they've created a very unique online note taking service. This service allows users to essentially have cloud storage for all of their text, and picture files (Cluley). This allows users to keep their notes with them wherever they go, because all of the user data is stored in an Evernote server side database, accessible through the Internet (Cluley). The issue with server side database's is that if a hacker can breach the companies network security, they can gain direct access to all of the client information. In Evernote's case, this team of hackers weaseled their way into a protected database and gained access to over 50 million customer Emails, Usernames, and Evernote Login Passwords (Cluley). Although, Credit Card information was not found in this specific database, the hackers can still do quite a bit with the information they received (Cluley). Simply by obtaining a list of emails, the hackers can easily send out mass emails to the customers, sending them malware or other viruses. Also, the Evernote password (although encrypted) could prove useful to hackers since many people use the same password for everything, they could make a program to try to enter the email account using the Evernote password. This is yet again another good reason to have multiple, varying passwords to avoid hackers from attempting to access other accounts with the same password.

Individualism
As a primary theory that relates to my case, defining Individualism (or The Economic Theory) will prove to be very helpful. The theory itself states, "The only goal of business is to profit, so the only obligation that the business person has is to maximize profit for the owner or the stockholders" (Salazar Week 2). It's clear that the hackers had no intention of helping Evernote's profits. Their only goal was to gain access to data, in hopes to manipulate customers of Evernote. These hackers did not adhere to the rules of Individualism because their actions were not in attempts to help a company or its stockholders but rather to breach security for their own benefit. Although, the direct profits wouldn't be changed by a data breach, Evernote's security reputation has certainly taken a hit (Lunden).

A message sent out to Evernote users after the website was hacked
Utilitarianism
Moving to another important theory, one finds themselves face to face with John Mill and the ideology of Utilitarianism which states that, "we ought to bring about happiness and pleasure in all beings capable of feeling it (and do so impartially)" (Salazar Week 3). The hackers clearly did not adhere to this theory, considering their actions left millions unsure and worried about whether their personal data would be stored or manipulated; none of this is happy for the customer. The hackers are obviously extremely capable of helping the customers, because if they had the programming ability to break the security system, they could be of help to fixing the network issues and making it more secure. Instead of adhering to utilitarianism hackers abused their programming skill to make customers and shareholders uneasy, not happy (Westervelt).

Kantianism
A third theory that can be related to the Evernote breach is Kantianism (or Kant's Theory). The main principles of this theory include acting rationally, allowing others to react rationally, "respecting individual needs and differences", and being "motivated by Good Will" (Salazar Week 3). All of these rules however were broken by the prospective hackers. Respect of individuals was out the window the second they gained access to MILLIONS of accounts. They did not intend to keep these accounts safe, or they would have been motivated by good will. Instead their irrational actions of data breaching disregarded the individual customer and focused solely on the needs of the hackers. A subset of Kant theory, The Formula of Humanity states that we should "'act in such a way that you treat humanity, whether in your own person or in the person of another, always at the same time as an end and never simply as a means' (Kant, MM 429)" (Salazar Week 3). The hackers were not rational simply because taking information from others without permission is illegal and irrational, by definition these criminals did not care for the good of Humanity. They also only focused on the means, they hacked a database to gain information; they did not however think about the implications/consequences of their actions. Their actions were not valuable themselves, quite frankly data breaches are so horribly invaluable to any company it's clear that these hackers only thought about the means and not the end.

Virtue Theory
Phil Libin, CEO of Evernote
A final theory I propose connects to the Evernote Data Breach is that of Virtue Theory. Virtues by definition are "the characteristics that allow things to function properly" and depend greatly on function and circumstance (Salazar Week 4). Specific to business, there are four main virtues, courage: "risk-taking and willingness to take a stand for the right ideas and actions", honesty: truthful interaction " in agreements, hiring and treatment of employees, customers and other companies", temperance: reasonable desires, and justice: "hard work, quality products, good ideas, fair practices" (Salazar Week 4). This is where I bring into the case what Evernote did to abide by Virtue theory and gain their customer trust back. Evernote was willing to ensure their customers that the data breach does not reflect the overall actions of the company. Promptly after the breach Evernote sent out password resets to phone numbers of customers, giving them a unique verification code that they would enter on Evernote.com to create their new password [See Below](Lunden). On top of this 'two-step verification' Evernote now provides its users with 'access history' an 'authorized applications listings' (Lunden). The access history allows the user to view the passed 30 day history of who and where the account has been accessed, specifically so customers can be proactive and check whether unwanted people have accessed their accounts (Lunden). The applications listings let users connect their notes to other apps and allows them to authorize or prohibit interaction with other apps (Lunden). By instantiating these new security precautions Evernote shows its customers the intention to keep accounts safe and keep Evernote honest, they also provide their customers with quality products and fair practices by creating the security and informing customers of the new two step verification system. Hopefully, with the continued use of these security settings, Evernote won't be the victim of another breach; perhaps with greater security the numbers of computer hackers will diminish seeing as they wont be able to access the information they want to steal.


References

Cluley, Graham . "Evernote hacked - almost 50 million passwords reset after security breach." Naked Security. Sophos, n.d. Web. 4 Apr. 2014. <http://nakedsecurity.sophos.com/2013/03/02/evernote-hacked-almost-50-million-passwords-reset-after-security-breach/>.

DesJardins, Joseph R.. An introduction to business ethics. 5th. Reprint. New York, NY: McGraw-Hill Higher Education, 2012. Print.

Lunden, Ingrid. "Evernote Turns On Three New Security Features, Including 2-Factor Authentication, After Major Breach In February." TechCrunch. AOL Inc, n.d. Web. 4 Apr. 2014. <http://techcrunch.com/2013/05/30/evernote-turns-on-three-new-security-features-including-2-factor-authentication-after-a-malicious-hack-forced-it-to-reset-all-50m-user-passwords-this-year/>.

Westervelt, Robert. "Evernote Breach Means 50 Million Password Resets." CRN. N.p., 4 Mar. 2013. Web. 4 Apr. 2014. <http://www.crn.com/news/cloud/240149905/evernote-breach-means-50-million-password-resets.htm>.

No comments:

Post a Comment