Are usernames and passwords not valuable data?

There is a trend among organisations that suffer data breaches – such as Eurostar, which has just identified a major data breach – to downplay their impact by saying things like ‘while usernames and passwords were compromised, the good news is that payment card data was completely secure’.

Of course payment card data should be completely secure – that’s a PCI DSS (Payment Card Industry Data Security Standard) requirement. Why should personally identifiable information not also be completely secure? Any breach means the possibility of identity theft and the immediate necessity of changing yet another password.

Enough people use the same passwords for multiple accounts – because of the hassle of remembering multiple single-use passwords and the inter-device inconvenience of password managers (and it’s not as though password managers are immune from breaches) – for any breach to have potentially serious consequences.

Quite rightly, Eurostar is notifying all its customers – which is what you’re legally required to do where a breach poses a high risk to the rights and freedoms of data subjects. In this case, its actions speak louder than its words!