The social networking and gaming site RockYou.com was hacked in December 2009 and suffered a severe data breach, which exposed personal information including email addresses, passwords and photos of 32 million users. Of that 32 million, 179,000 were children. The situation went from bad to worse for RockYou when the hacker posted on the Internet a snippet of the data he obtained, showing that RockYou’s user account data were stored in plain text in its database and not encrypted. Unencrypted personal information is basically like catnip to a hacker and from a risk perspective, the company was in deep trouble. Compounding its problems, RockYou handled the communication to its users and the public horribly and this incident was a public relations disaster for the company.
The takeaways? This is a story about the consequences of a company’s deceptive business practices, failed data security program and clearly a lack of preparedness when faced with a large scale data breach. Aside from the $250,000 fine and attorneys’ fees the company must pay, the other economic costs here are lost business costs and the widespread damage to RockYou’s reputation and brand caused by this catastrophic breach.