Insurance giant Aviva UK is the latest company to suffer from a cyber attack made easier by the now infamous web security bug Heartbleed. Heartbleed, which was first discovered on April 7, is the name given to a hole in secure socket layer (SSL) web encryption technology that allowed hackers to easily bypass different countermeasures in a system that up until that point was viewed as the gold standard of digital security. From Amazon to Paypal, name an eCommerce giant or popular news website, and chances are they use SSL to secure their page.
While the Heartbleed problem was supposedly fixed with a patch a few months ago, this attack on Aviva shows that web users and companies who heavily rely on technology are still vulnerable to savvy hackers. In this case, hackers broke into MobileIron, a BYOD system service provider that Aviva works with to allow its employee to use their favorite tablets and phones for work purposes. The hacker sent messages to each device and each user’s email that read, “It maks my hart bled [sic] to say good by lik [sic] this, love u mobile iron.” The hacker then wiped all the devices and took down MobileIron’s server.
According to reports, Aviva UK is now distancing from itself from MobileIron as it looks for a new BYOD service. That’s not terribly surprising, not when you understand that security that guards against abusive personal use and rogue IT is the first thing companies discuss when setting up their BYOD policies.
Too Early to Tell Just How Bad Heartbleed Is
Aviva’s misfortunes are not unique, unfortunately. A 19-year-old hacker in Ontario was arrested after he exploited the Heartbleed bug, stealing 900 social security numbers from the Canada Revenue Agency back in April. Luckily, he was found and arrested.
Two months later, the Aviva UK incident shows that we might not be any better off than we were, and facing that fact, it’s tempting to wonder just what exactly is being done to fix SSL and put an end to these issues. The problem, as was so deftly highlighted by technology site eWeek, is that no one is really sure how far the effects of Heartbleed go. How much was lost because of the SSL hole? What sort of backdoor software were hostile entities able to install before the supposed fix? Unfortunately, no one yet has those answers.