Lessons from the Latest Dropbox Security Lapse

A few weeks ago, word circulated that some Dropbox users were being spammed, stoking fears that Dropbox had been compromised.  Dropbox brought in outside experts to investigate the issue, and yesterday they announced the results.

According to the Dropbox blog, the root cause of the spam was actually the hacking of a different (and unmentioned) website. Hackers took the stolen credentials from that site and compromised the accounts of a few Dropbox users who happened to be using the same username and password for both services.  Unfortunately, one of those Dropbox users was actually a Dropbox employee, and that employee was storing an unencrypted document containing the email addresses of some Dropbox customers.  Predictably, those addresses were spammed.

Dropbox is trying to reassure users about the security of their service, stating that they’ve “put additional controls in place to help make sure it doesn’t happen again.”  They also announced several new security features, including two-factor authentication, a page to monitor active logins to your account, automated behind-the-scenes monitoring for suspicious activity, and in some cases, mandatory password changes.

This story presents myriad security lessons for lawyers and all professionals who hold sensitive data:

  • Use unique passwords for every site and service, especially those where you intend to store confidential information.  This current controversy would never have erupted if users hadn’t been using the same credentials for Dropbox and other services or sites.
  • Whenever possible, make sure the confidential data you put online is encrypted.  If the Dropbox employee discussed above had encrypted the document containing user email addresses before placing it online, those addresses would never have been spammed.
  • Do your research before entrusting sensitive data to a vendor.  Some vendors have spotty records when it comes to security and privacy–particularly vendors that focus on the consumer market rather than businesses.  Lawyers may need to avoid these vendors or at least take extra precautions when using their services.
  • Keep yourself informed.  Following the latest security news, even once or twice a week, will help you stay ahead of most significant security issues.  If you don’t feel comfortable with your own understanding of data security, or if you simply want to go a step further, invest in an outside expert to review your systems periodically.
  • Have a plan in place to respond to a security breach if it should occur. Even the most secure practice can fall victim to a new virus, a sophisticated attack, or a momentary lapse in judgment by an employee.   Be sure to factor in any applicable laws regarding data breach notification.

Check Also


Virginia’s New Data Protection Law

The new law signals an increased need for adaptability in privacy compliance.