About Hilary Tuttle

Hilary Tuttle is the editor of the Risk Management Monitor and Risk Management magazine.

The 25 Worst Passwords of 2015

In another reminder that users are always the biggest security weakness, “123456” and “password” have once again been named the most commonly used bad passwords. In SplashData’s fifth annual “Worst Passwords List,” the company has compiled the most common weak, easily guessable passwords that leave users vulnerable to hacking and identity theft.

Pulling from more than 2 million leaked passwords revealed during the year, the list highlights just how vulnerable users are. Some new and longer passwords made the top 25, reflecting some effort by websites, system administrators and perhaps users themselves to try to force better security practices by requiring more characters. Unfortunately, these longer passwords are so simple that the extra characters mean little, particularly given how few passwords utilize both letters and numbers.

Some new bad passwords may seem a bit more complex, for example, “1234567890,” “1qaz2wsx” (first two columns of main keys on a standard keyboard), and “qwertyuiop” (top row of keys on a standard keyboard), but are easily guessableand clearly not quite as innovative as these users may have thought. It seems the excitement over Star Wars also had an impact: with common passwords “starwars,” “solo” and “princess,” the force of bad information security awakens.

Check out the infographic below for the top 25 worst passwords and some of SplashData’s top tips to build ones that stay off the list.

SplashData worst passwords of 2015

Legal Woes Highlight Dangers of the Food Industry Supply Chain


A spate of recent cases offers a clear warning for the food industry about the legal and reputational perils of not getting more serious about supply chain control.

On Monday, the U.S. Supreme Court declined to consider an appeal from Nestle, Archer Daniel Midlands Co. and Cargill Inc., allowing a slave and child labor lawsuit to proceed against the three food industry giants.

Three plaintiffs who claim they were trafficked from Mali as child slaves and forced to work harvesting and cultivating beans in Cote d’Ivoire, and allege that the companies aided, abetted or failed to prevent the torture, forced labor and arbitrary detention they suffered.

According to Reuters:

The plaintiffs, who were originally from Mali, contend the companies aided and abetted human rights violations through their active involvement in purchasing cocoa from Ivory Coast. While aware of the child slavery problem, the companies offered financial and technical assistance to local farmers in a bid to guarantee the cheapest source of cocoa, the plaintiffs said.

The defendants knew about the child slavery problems in the region and offered both financial and technical farming assistance to support the agriculture methods in place, the plaintiffs claim. What’s more, they say, the defendants could have used their leverage in the cocoa market to stop or limit the alleged child labor practices and failed to do so.

According to the Wall Street Journal:

Mark Theodore, a partner at Proskauer Rose, said that the ruling reinforces to companies that they need to be socially responsible employers. And while there is no way to ever completely prevent such risks, he said the ruling is a reminder to companies that they “should be monitoring and also maybe doing a little bit of introspective thinking about their own practices to avoid these things, or prevent them from happening, or to put themselves in legally defensible position if they can’t prevent them.”

In September, the Justice Department finalized a landmark conviction of the former head of the Peanut Corporation of America, who was sentenced to 28 years in prison for knowingly shipping salmonella-tainted products that sickened 714 people and killed nine. That may be the department’s first step in a new approach to taking food industry product safety more seriously, and more aggressively pursuing wrongdoing on a criminal level. The Justice Department has now opened formal investigations into the e. coli outbreak at Chipotle and the listeria outbreak at Blue Bell Creameries, both of which sickened hundreds of consumers.

The department has already signaled a broad intention to focus more efforts on individual law-breakers in corporate crimes. Now, the government appears to be showing the food industry that things are changing in terms of corporate responsibility and food safety, according to Andrew Lankler, partner at Baker Botts. Lankler told the Wall Street Journal that the Department of Justice is signaling that whatever standard the food industry thought it needed to meet for food safety, the bar is higher. “The department is going to step up enforcement in areas where they can prove they sold tainted product,” he said.

And the trouble at Chipotle shows little sign of abating. The CDC is still investigating multiple outbreaks, and the chain has now been served a subpoena as part of a criminal probe by the U.S. Attorney’s Office and the Food and Drug Administration’s Office of Criminal Investigations regarding an isolated norovirus incident in August.

A fourth lawsuit was recently filed by a customer who claims he was sickened by the same strain of e. coli linked to Chipotle, but this case dates back to July, meaning far more people may have been affected in the outbreaks. At least nine suits have been filed by customers, and Bill Marler, a food and safety litigator in Seattle, claims more are coming from the 75 Chipotle-related clients he represents.

At this week’s ICR conference this week, CEO Steve Ells said he is hopeful that the CDC will soon declare the restaurant’s e. coli outbreak over, adding, “we know that Chipotle is as safe as it’s ever been before.”

To that end, Chipotle announced today that it will close all of its stores on Feb. 8 to have a corporation-wide meeting with all staff regarding food safety.

But customers remain extremely wary. Indeed, while it may be an e. coli cliché, it would not at all be a stretch to say public opinion about the brand remains in the toilet, with YouGov’s BrandIndex score for the company seeing a drop equal to that of GM during its crisis.

yougov poll chipotle

To combat that, the company also announced plans to launch a sizable new marketing campaign to win back customers, using direct mail and traditional advertising to attempt to win back consumer confidence. As Fortune reported, executives said the campaign will attempt to provide a “detailed story of what happened” to explain to customers why they are now safe, and that it will not focus overtly on food safety, but will have “an undertone” of humility.

Chipotle’s stock dropped nearly 42% in the wake of the outbreaks, and according to an SEC filing, sales at stores open more than a year were down 30% last month. Ells and his team admitted they could not guess how much the fallout will impact 2016 financial results, but expect it will be a “messy” year. Costs are expected to go up from the marketing campaign and new food safety measures, including processing more food through centralized kitchens in an attempt to better control the conditions of ingredients.

The company darkened its outlook for Q4 results, and As Wells Fargo Securities wrote in a recent research note, “We expect CMG to point to a hard-fought and long-tailed [same-store sales] recovery across 2016, and to stress that there is still much work to be done in assessing the sizeable costs associated with the company’s supply chain overhaul.”

For more about food safety crises and product recall, check out the following articles from Risk Management:

Feeding an Appetite for Trust, A Q&A with Center for Food Integrity CEO Charlie Arnot

Food Safety Updates Stalled by Funding

Maximizing Coverage for a Product Recall

Chipotle Food-Borne Illness Outbreaks Highlight Supply Chain, Reputation Risks

For the past month, Chipotle Mexican Grill has been mired in a food safety crisis. An e. coli outbreak linked to Chipotle has sickened at least 52 people in nine states. In a seemingly unrelated outbreak, 120 people in Boston – most of them students at Boston College – also fell ill after contracting norovirus from eating at the quick-service chain.

While food safety and product recall concerns are always a major liability for industry players, the spate of infections poses even more of a threat to Chipotle as the company has built its reputation on the foundation of a healthy, responsible supply chain, boasting its use of fresh produce, meat raised without antibiotics, and a network of hundreds of small, independent farmers. As Bloomberg put it, the company’s biggest strength is suddenly its biggest weakness. Given the chain’s 1,900 locations and the rate at which it has expanded (about 200 new locations every year), its supply chain is already under significant pressure. When an audit found unacceptable practices earlier this year, the company suspended a primary pork supplier, pulling carnitas from the menu at about a third of its restaurants nationwide. The company pointed to its decisive action as proof of its commitment to sustainable agriculture, but many analysts said it highlighted the company’s inherent vulnerability to supply chain issues.

“You can never eliminate all risk, regardless of the size of suppliers, but the program we have put in place since the incident began is designed to eliminate or mitigate risk to a level near zero,” Chris Arnold, the company’s director of communications, told Bloomberg.

Now, as the number and geographical spread of E. coli cases grows, the company has closed dozens of restaurants for what it promises will be thorough investigation and cleaning. Steve Ells, the company’s co-chief executive, went on the “Today” show to publicly apologize and vow that reforms currently being put into place would turn Chipotle into a leader in food safety. “The procedures we’re putting in place today are so above industry norms that we are going to be the safest place to eat,” he said.

But consumers are not so sure, leading sales to fall 16% in November, and its stock price has dropped almost 30% since the outbreak was first detected, the Washington Post reports. Analysts and the company itself have said they expect the outbreak to continue to cause a drop in sales. Take a look at how the ongoing crisis has impacted the company’s stock:

chipotle stock e coli

These doubts may have long-term impacts on Chipotle and may even extend to other food industry stakeholders.

“Fast-food companies are 100 percent reliant on their food supply to send them something that is pathogen-free, but the supply chain is still extremely reluctant to test every [food] product it provides,” food safety consultant Mansour Samadpour told the Washington Post. “Many companies are starting to do it, but the reluctance is real and it’s problematic — and that’s getting in the way of food safety.”

“I worry that [consumers] look at food safety from the organic, non-GMO, sustainability, animal welfare standpoint,” Bill Marler, a lawyer specializing in food-borne illness, told the Post. “And a lot of people in that space, in that agricultural movement, tend to believe that because they do those things their food is automatically safer than food that’s served at McDonald’s or Jack in the Box or Walmart. But that’s just not the case.”

For more about food safety crises and product recall, check out the following articles from Risk Management:
Feeding an Appetite for Trust, A Q&A with Center for Food Integrity CEO Charlie Arnot
Food Safety Updates Stalled by Funding
Maximizing Coverage for a Product Recall

Another Reminder About Emergency Planning for an Active Shooter

Washington Post shooting calendarYesterday, Dec. 2, 2015, marked the 336th day of the year and 355th mass shooting, according to the Mass Shooting Tracker, which logs incidents in which four or more people are shot. Indeed, there were two mass shootings yesterday: a smaller incident in Georgia in which a woman was killed and three men injured, and the slaughter of at least 14 people and injury of 17 at an office holiday party at San Bernadino’s Inland Regional Center, which provides social services to residents with developmental disabilities. No motive has been found thus far, but two shooters have been identified as a county employee who had attended the party and his wife.

As I wrote in the November issue of Risk Management magazine, researchers from the Harvard School of Public Health and Northeastern University found that the rate of mass shootings has tripled since 2011. According to a study released last year by the Federal Bureau of Investigation, active shooter incidents, where police arrive to a shooting in progress, are also on the rise. The FBI found that 160 of these incidents had taken place in the United States between 2000 and 2013, 70% of which occurred in either a business or educational environment. An average of 11.4 incidents occurred annually, averaging 6.4 in the first seven years studied, and 16.4 in the last seven years.

With the growing frequency and ever-increasing fatalities, risk managers clearly cannot afford to become so inured to these incidents. Rather, much like they do for other forms of crisis, from fires to tornadoes, they need to be acting now to train employees, develop emergency plans, and ensure business continuity provisions are in place.

“You have smart people leading organizations who know they need to do something, but you see them fall into a pattern of planning to have a plan, and they confuse that with taking action on the issue,” said Jay Hart, director of the Force Training Institute. “Planning to have a plan is not a plan. They need to understand that this is a leadership issue, because it is about protecting the people in the company.”

For tips on preparing for an active shooter incident, check out the Q&A with Hart from the December issue of Risk Management, and “Preparing for an Active Shooter Incident,” from the November issue. When developing a plan to respond to an active shooter crisis, make sure to:RM11.15_ff_shoot_side.630