Even though the Target breach announced last week is the second largest credit card breach ever, I would argue that its immediate effect on your organization is probably small. In fact, the recent Adobe breach probably had a much bigger direct impact on other organizations than the Target breach. Why? It's all about passwords.
And no - this is not a blog about the extremely low complexity found in the passwords harvested at Adobe, although I highly recommend you check out the crossword puzzle based on the most common passwords and their related hints. It might be the most joy a security professional can get out of seeing how little effort people actually put into security when given free reign (while quietly sobbing about how challenging this makes your job).
This is about how this particular breach likely impacted your users a lot more than any other. Massive breaches have been occurring more and more often over the past ten years, but the largest ones have always been after the two most highly regulated types of data: financial accounts and personally identifiable information. Sure, we started seeing just how weak passwords often are in the RockYou! password breach, but the vast majority of those consumers had used a personal email, as has been the case for most username/password breaches over time.
Having your employees' personal accounts or financial data leaked is devastating for them, but it does not frequently affect them as a user of your organization's infrastructure. As a security professional, you may have someone come to you for advice on recovering a gmail account or better protecting an online banking account in the future, but it normally ends there.
That is where the Adobe breach seems to change the narrative. What I have heard directly from UserInsight customers is that we alerted them on anywhere from 10 to 300 of their users' accounts that were used as a username amid the millions of leaked credentials. Whether this alert was used to immediately force a password reset, send a group email to those affected, or remind the entire organization of the importance of not reusing passwords, it is clear that the Adobe breach led to a great deal more work-related accounts being potentially exposed than any single event security teams have had to deal with prior.
Have any examples of how you minimized the impact of the Adobe breach on your organization?