Editorial: Beyond the Heartbleed threat

The discovery of the Heartbleed bug, an online security flaw that’s alarmingly widespread, was just the latest reminder of how vulnerable Internet users are to the mistakes made by others. In this case, a programming error in a supposedly secure Internet communications protocol allowed hackers to steal passwords, credit card details and other sensitive information from websites for up to two years before the problem was found. A new version that removed the bug quickly became available, but even if Internet users change their passwords and credit card numbers, their personal information will still be up for grabs until the websites they used for banking, shopping and services install the update.

Although the Heartbleed problem affected an unusually large swath of the Internet, in many other respects it’s typical of the security issues that arise online. Hackers find a hole in the security measures used to protect sensitive data, the vulnerability is eventually discovered and new software is issued to fix the problem. But hackers continue to take advantage of the hole because some sites and users are slow to update their systems.

There’s no perfect shield against data theft. The question is whether the companies that store sensitive data will be diligent about responding to problems as they are discovered. Congress has balked at requiring companies to improve their security practices and keep their software up to date, persuaded by corporate lobbyists that the private sector already has plenty of incentive to do everything it can to stop hackers. Those incentives may be there, but they haven’t stopped companies from carelessly storing sensitive data without encryption and ignoring important software updates.

With Congress silent, the task of rooting out bad corporate data security has largely fallen to the Federal Trade Commission. For more than a decade, the commission has won settlements from companies that weren’t doing enough to protect the personal data they collect from consumers. But when the commission took action against Wyndham Hotels for a series of data breaches, the hotel chain pushed back, claiming the FTC didn’t have any authority over such incidents. Happily for consumers, U.S. District Judge Esther Salas in New Jersey disagreed with Wyndham, ruling this month that the agency can penalize companies that take a cavalier approach toward cyber security.

Business groups complain that the FTC is punishing companies for being preyed on by hackers. In the Wyndham case, however, the commission alleged that the company failed to use firewalls, operated servers with default user IDs and passwords, didn’t scan its computer network for viruses and stored credit card data “in clear readable text,” Salas wrote. Such practices are distressingly commonplace. The upside of the Heartbleed bug is that it reminds the world of the need not just for coders to plug the security holes in their software but for websites and services to stay on top of the changes.