Dropbox, a file hosting service, headquartered in San Francisco, California, announced last week to its 500 million registered users that a hack in late 2012 leaked just over 68 million customer passwords. While the company has made significant steps towards containing the leak, prompting relevant users to reset their passwords.
Patrick Heim, the head of Dropbox’ trust and security division said on the matter:
“We can confirm that the scope of the password reset we completed last week did protect all impacted users. Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn’t changed their password since.”
While there are no official numbers reported on the use of Dropbox or other file sharing services within the life sciences industry, we have seen indications of large Pharmaceutical companies moving thousands of users to services like Dropbox and their closest competitor, Box. The likes of Dropbox and other file shares are offering employees a quick and easy way to share files across devices in a way that some of the other ECM products have failed to deliver in the past. However, there are still some valid reservations about the compliance and security functions associated with these services – something that this public leak isn’t going to help.
Are Life Sciences companies and their information safe?
While this password breach is hardly the biggest on record – this doesn’t top when hackers compromised 360 million MySpace accounts – but it’s still significant. Fortunately for Life Sciences companies, and any users of Dropbox the news isn’t all that bad. Many of the leaked Dropbox passwords are protected by a strong hashing function, and the remainder of passwords are also encrypted. This essentially means that your password and the passwords of your colleagues aren’t just sitting in a text document in a readable format like you’d type to log in. The passwords are put through a sophisticated hashing and encryption algorithm that turns your credentials into unreadable nonsense. However, these passwords are by no means useless to a hacker who may have many tools to decrypt these passwords.
Regardless, if you’re a Dropbox user, it’s recommended to change up that password just to be sure.
Should you manage regulated content in services like Dropbox?
While your passwords may be relatively safe and unbreakable, it still begs the question as to whether life sciences companies should be using services like Dropbox at all. This answer ultimately lies in how you plan to use these services – If it’s for unregulated information you may find success, but for confidential information I’d stay well clear of these services.
File sync and share applications like Dropbox and Box, for the most part, remain among the most blacklisted applications by companies around the globe, largely because of how easy it is for sensitive or valuable data to be moved out of the security of your organization. A few clicks and any user can download content to a USB or desktop. Even with complex data encryption technologies and other security measures, files can be copied or transferred almost effortlessly, making data leakage a significant threat.
While an employee downloading a form to fill out on their train commute home may seem relatively harmless, once that information is taken out of the enterprise, personal devices are easily hackable, and the potential for compromise is high. This makes making a case for managing regulated content in file shares extremely difficult.
The other issue that has been brought to light through this leak is the lack of sophistication surrounding Dropbox account management. While it may seem beneficial to keep a user’s account active without notification when it’s unused, this can be dangerous if hacks like this do come to light. Here at Montrium we’ve implemented a robust method to ensure accounts that are this old are no longer risky by creating specific account rules. For example, if a Montrium Connect user fails to log in and use the system for more than 90 days their password automatically expires, and they’re prompted to reset. With a year of inactivity (which is highly unlikely, but possible), a user’s account is completely deactivated and password to a random value to prohibit unauthorized access. Even in the unlikely event that these passwords are compromised, they are useless as they aren't remotely based on the users original password. We do this to ensure that if these passwords are compromised that the exposure is limited.
While Dropbox claims to comply with several standards and regulations from a security, privacy, and data protection standpoint, it’s not yet clear if these services can support the FDA and other global GxP regulations for managing electronic records compliantly – namely 21 CFR Part 11 & Annex 11. It’s for this reason that we would recommend going with a more comprehensive and secure ECM solution in the cloud (much like Montrium Connect). Not only will services like this provide you with the true ECM functionality you need to manage regulated content efficiently and securely, you’ll no doubt be working with a vendor that understands the inner workings of your industry and the regulations that govern it. Something Dropbox and other file share services may not be well versed in as they're all typically industry agnostic.