LastPass Breach Raises Disclosure Transparency Concerns
In the graphic novel “The Watchman” by Alan Moore and Dave Gibbons, one of the recurring themes is ‘Who watches the watchers?’, a question originally posed by the Roman poet Juvenal as “Quis custodiet ipsos custodes?”
The LastPass breach that was revealed this week should serve as a reminder of the critical role password managers now play in corporate environments—and how critical it is that there be oversight and transparency of companies that have responsibility for passwords and critical data.
LastPass clearly needs to be highly transparent in terms of disclosure. The company revealed that code was taken in the breach, but has yet to disclose the degree of risk that might create for customers. For example, might the code that was stolen be used to create exploits that would compromise the integrity of the company’s password manager platform? Other questions that need to be asked and answered include whether that code has been changed or altered in some way, especially if that could predict an imminent exploit.
Customers are also going to need assurances from a third party that no data was taken. Hopefully, this isn’t one of those situations when, days or weeks or months from now we find out that,”Oh, by the way—we didn’t tell you at the time, but there was a loss of confidential or critical data …” LastPass customers need to know immediately if this is the case; there’s huge potential for this breach to become something much bigger than it appears to be today.
When it comes to identity management and securing credentials, LastPass is critical infrastructure for the IT industry. Credential theft and credential stuffing attacks via phishing are some of the most common attack vectors, and for years businesses have been advised to adopt password managers like LastPass to keep credentials safe. And, for the most part, this is great advice, considering how lax humans are about password security. But, again, what happens when the password manager itself is the victim of a breach?
What’s required, of course, is an agreed-upon disclosure process that addresses both what’s disclosed and how it’s disclosed when certain classes of software (like password managers, for example) are breached. Any type of privileged access management (PAM) platform certainly qualifies. We all deserve a full accounting of both what happened, what was stolen and what measures have been taken.
I’m not calling for LastPass or any other vendor to be “taken down” because they’ve suffered a breach. Let’s be straightforward about it—every company has suffered breaches. If they haven’t, they just don’t know about it yet. That’s the attitude that security professionals need to take because it’s going to happen. That said, there needs to be a close examination of how disclosures are made when it involves critical software.
Simply put, it’s time to take stock and really examine how we watch the watchers so that there is more trust and confidence across a software ecosystem that is under siege from multiple cybersecurity fronts.