IT Experts say Spotify data breach easily avoided

Cyber-Ark says Spotify data breach easily avoided

March 2009 - Cyber-Ark, the digital data vaulting expert, says that this week's major hack of the Spotify music portal, which was only launched in the UK quite recently, could easily have been avoided.

"Spotify's business model is to offer music for free, in return for user credentials and ads being played on a regular basis, but it should not have launched in the UK knowing its security systems were not up to scratch," said Mark Fulbrook, Cyber-Ark's UK and Ireland Director.

"Had the company protected the personal data of its customers, which included the names, birth dates, post codes and other information, perhaps using a data vaulting technology, then this public relations fiasco would not have happened," he added.

The only piece of good news, he went on to say, is that because premium account payment card details are handled by an external company, this data remains intact.

Fulbrook is also critical of the way that Spotify has handled the data breach. Unlike in the US, where companies are legally bound to notify their customers of a data breach, no such legal requirement yet exists in the UK, although companies have a moral duty to do so, he noted.

Yes, he says, Spotify is a free-to-use service, but the fact that it has effectively treated its customers - who are central to its business model - with disdain, is not a positive sign.
"All that Spotify has done is to make a series of postings advising customers to change their passwords. Sure, the company claims it is reinforcing its security, but his is like locking the door after the horse has bolted," he said.

"The security faux pas that caused Spotify's data breach and consequent public relations fiasco, should have been sorted during the testing phase, and not so soon after the service's UK commercial launch. What a fiasco," he added.

For more Spotify's data breach:

For more on Cyber-Ark:

Yvonne Eskenzi, Eskenzi PR