Beginning Next Week: InsideCounsel will become part of Corporate Counsel. Bringing these two industry-leading websites together will now give you comprehensive coverage of the full spectrum of issues affecting today's General Counsel at companies of all sizes. You will continue to receive expert analysis on key issues including corporate litigation, labor developments, tech initiatives and intellectual property, as well as Women, Influence & Power in Law (WIPL) professional development content. Plus we'll be serving all ALM legal publications from one interconnected platform, powered by, giving you easy access to additional relevant content from other InsideCounsel sister publications.

To prevent a disruption in service, you will be automatically redirected to the new site next week. Thank you for being a valued InsideCounsel reader!


UK organization outlines online security measures

The United Kingdom’s Information Commissioner Office has published a security report on vulnerabilities that can often lead to data breaches

The United Kingdom’s Information Commissioner Office has published a security report on vulnerabilities that can often lead to data breaches, highlighting the need to  engage in “hashing” and “salting” techniques to protect consumer passwords.

The report was spawned from the ICO’s investigations into data breaches. Those investigations have led to serious and costly monetary penalties that have netted almost about a million pounds to date. The fines have ranged from charging the British Pregnancy Advice Service about 200,000 pounds after user details were revealed to be stored insecurely on the charity’s website to Sony Computer Entertainment Europe failing to updating its software, leading to the details of millions of customers being compromised.

"A hash function is a one-way method which converts a password into a hashed value, often simply called the 'hash,’" the ICO said in the report. "When a user first registers with a service and provides a password this is hashed and only this hash value is stored. When a user returns and enters their password, the hash is freshly calculated then compared with the stored hash. If the two hashes match, then the user can be authenticated."

"A 'salt' ... is a string of random data unique to each user," the ICO said. "The salt is used by combining it with the user's password, then hashing the result. The salt is then generally stored alongside the hash in a database. When a user logs in to the service the stored salt and the supplied password are freshly combined and hashed. As in the unsalted method, the new hash and the stored hash are compared to determine if the user should be authenticated. Even though salts will generally be available to any attacker who already has the related list of password hashes, using salts further increases the time and effort involved in mounting a password cracking attack."

The ICO’s report also called for the need for businesses to have a well-designed “security architecture,” and it recommended what organizations can do to protect data stored on systems that include the segregation of internal-facing and external-facing systems that can aid with data security.

The ICO's report also outlined the need for businesses to have well designed "security architecture.” It made some recommendations about what organizations can do to protect data stored on systems, including suggesting that the segregation of internal-facing and external-facing systems can help with data security. ICE also identified that businesses should have a software policy in place, and to apply the security updates “as soon as is practical.”

“In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed,” said Simon Rice, ICO’s group manager for technology.

 Heartbleed is a bug that existed in some versions of encryption software developed via the open source “OpenSSL Project.”

"Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics,” added Rice. “If you’re responsible for the security of your organization’s information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you.”


Further Reading:


Facebook and Zynga avoid wiretapping fines for targeted ad practices

Contributing Author

author image

Alexis Harrison

Alexis Harrison is a Connecticut-based writer and public relations professional whose career spans both print journalism and broadcast news. Alexis started her professional life as...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.