This week, the after effects of the Twitter‘s May breach became known, with confidential employee and company information being acquired and sent to TechCrunch. At a macro level, the information shows the potentially embarrassing data that exist in every company and that no executive, shareholder, customer, employee or partner would want to see revealed.
For Twitter these include names of senior executives who interviewed for positions at the company and are currently employed elsewhere, earnings projections, new product information, and floor plans.
What is interesting to those of us in the security industry is what the breach initially appears to be – a security failure in the Cloud, and what it really is – an exploit of the password recovery system and other features of Google Apps.
Cloud is no more secure or less secure than any other environment, and what happened at Twitter could have easily occurred in a traditional implementation. This breach indicates, at the very least, that traditional password protection practices were not being followed. This is not surprising considering the stress placed on current IT budgets that results in security updates and practices being delayed. For every organization that holds information that could be deemed embarrassing if made public (so, everyone), Twitter serves as reminder that open does not mean secure and the protection needs to come from provide the appropriate care at the level of the data itself.