Data Breach of U.S. Identity Management Vendor, OneLogin

You may have seen the news that My1Login competitor, US vendor OneLogin, suffered a data breach whereby all US clients’ encrypted data has been stolen by persons unknown. Worryingly, OneLogin have stated that the thieves can decrypt this data. This follows an earlier data breach of OneLogin in August 2016.

We want to reassure our customers that My1Login cannot be exposed to the same threat as OneLogin.

Many vendors, including OneLogin, use server-side encryption when storing customer data in their cloud servers. At My1Login we have never believed that server-side encryption is good enough for our customers. Server-side encryption means that both the encrypted data and the keys that allow this data to be decrypted are stored by the vendor. This is akin to locking your front door, but leaving the key in the lock.

Consequently, My1Login was architected with client-side encryption, meaning that while the encrypted data is stored within My1Login, the encryption keys are not – they are stored within our customers’ own internal network. By always segregating the encryption keys and encrypted data we are not susceptible to the hacking incident that affected OneLogin.

Bill Buchanan of Edinburgh Napier University said in today’s BBC article “Increasingly [companies] need to encrypt sensitive information before they put it in the cloud system…”  This means that encryption should be performed before data is sent to the cloud, and encryption keys should be retained client-side, which is exactly how My1Login have designed their solution.

Our practical advice for any organisation considering an Identity and Access Management System is to ensure that any vendor you are evaluating uses client-side encryption, storing encryption keys on the client, not on the server. Server side encryption, of whatever strength, is not enough. My1Login only uses client-side encryption. IAM is secure, but must be architected correctly. With client-side encryption, it is totally impossible to access sensitive customer data without the encryption keys, which My1Login do not store, and only exist within the customer environment.

If you already have an IAM solution in place, or are considering implementing one, then our advice is to ask your preferred supplier if they use client-side encryption and accept nothing less.

If you'd like to find out how My1Login can help protect your business, please contact one of our Identity Experts.