You Can Get Fired for Choosing Dropbox: A True Story

An MSP is contacted by a publicly traded company looking for help managing their IT. When the MSP goes to the company conference room to tell them about how they can protect their servers, the decision-maker explains they don’t have a need for servers, they are using Dropbox.

The MSP is perplexed and explains there could be security issues with the cloud in general and it is safer to keep the data locally and have encrypted backups. The MSP is mocked – told Dropbox is safe and secure and that her old company had users on it and it works great.

The MSP reiterated the concern and explained that her company which is under regulatory scrutiny shouldn’t take the risk. More mocking. Finally, the MSP explained that if a government agency requests their data from the cloud by going directly to the cloud vendor, it is possible they will never know about it.

The MSP was told in response this isn’t important to them – they are using Dropbox.

The MSP wasn’t chosen – the company likely went with an alternative vendor who just took the money and didn’t give the important advice they should have.

Fast forward some months… Yesterday we learned 68,680,741 Dropbox account records were stolen. It is possible many Dropbox accounts were accessed and the data siphoned off by hackers. At this point it is unknown how much data was stolen.

The compliance ramifications are potentially massive. The average cost of a data breach is $4 million! The company in question could have purchased a single HPE ProLiant DL385p Gen8 Server for about $2,500 and paid about $20,000 for labor and software needed to get it up and running. In other words, they would have saved just under $4M dollars! And this number doesn’t even take into account the cost of the cloud service.

The cloud is amazing – it allows companies to live beyond their financial computing means as they don’t need to purchase as much hardware – the OPEX vs. CAPEX argument. But successful cloud vendors are also huge targets and for them, getting hacked is a matter of when not if.

In such a scenario, companies should think twice before going to the cloud. This is why Morgan Stanley blocks Dropbox.

The MSP in question is thinking of reaching back out to the prospect to see if they can sell them a server but they’ll most likely be out of business if their data was part of the breached information.

What do you think about this story? Should the decision maker be fired?
bigstock-Angry-boss-firing-female-colle-114211415.jpg


Update 11/8/16

The company reached out to say the account records were compromised, not stolen. They went on to say, there is no indication that Dropbox user accounts have been improperly accessed.

Patrick Heim, Head of Trust and Security had this to say:

“This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed. Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012. We can confirm that the scope of the password reset we completed last week did protect all impacted users. Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn’t changed their password since. 

While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites. The best way to do this is byupdating these passwords, making them strong and unique, and enabling two-step verification. Individuals who received a notification from Dropbox should also be alert to spam or phishing.”

 

 

 

 

Hi Rich,

 

Checking in on this request regarding the article Monday, “You Can Get Fired for Choosing Dropbox: A True Story.” 

 

Can you please update the article for accuracy? 

 

The piece states, “Yesterday we learned 68,680,741 Dropbox account records were stolen. It is possible many Dropbox accounts were accessed and the data siphoned off by hackers. At this point it is unknown how much data was stolen.”

 

This is incorrect – it would be correct to say, “Yesterday we learned 68,680,741 Dropbox account records were compromised. There is no indication that Dropbox user accounts have been improperly accessed.”

 

I’ve also shared the below statement from Dropbox Head of Trust and Security, Patrick Heim. More information also available on our blog post here

 

Best,

Jane Rubin

 

“This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed. Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012. We can confirm that the scope of the password reset we completed last week did protect all impacted users. Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn’t changed their password since. 

 

While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites. The best way to do this is byupdating these passwords, making them strong and unique, and enabling two-step verification. Individuals who received a notification from Dropbox should also be alert to spam or phishing.”

 

​ – Patrick Heim, Head of Trust and Security

    Leave Your Comment


     

    Loading
    Share via
    Copy link
    Powered by Social Snap