Data breach notices have become so common in my household, I find myself reaching for a spreadsheet to keep track of them all. How many different ways can a company tell me my data has been stolen?
“Hey, man, we’re sorry. We’ve screwed up and let your personally identifiable information out into the wild. We’re sorry we’re so dumb, those hackers are so enthusiastic, and our salaried tech support couldn’t stop them.”
Take a look at the sincere pleading of Uber CEO, Dara Khosrowshahi, in light of their hidden from customers data breach. First, let’s look at the extent of the breach:
The names and driver’s license numbers of around 600,000 drivers in the United States were stolen in the breach, along with some personal information of 57 million Uber users around the world which includes names, email addresses and mobile phone numbers.
And here is Dara’s response:
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Anatomy of A Data Breach Disclosure
After awhile, you begin to adopt a clinical perspective when reading them. “Do they really mean it?” I ask yourself. Or, “Gee, could they have done a better job with this notification?”
You start to wonder at the anatomy of a well-written disclosure of a breach masquerading as an apology letter. Some have compared it to the stages of grief:
Which got me thinking about the whole data breach pattern thing and in particular, how it relates to the 5 stages of grief. And a data breach in many ways is like that: it’s a series of emotions experienced by someone who’s lost a loved one, it’s just that the loved one is their data! But seriously, it actually aligns well and it both explains The AA’s behaviour and foretells what’s about to come next. Let’s go through it. Read Troy’s complete blog entry.
The latest emailed notice, which came two weeks after another one in the mail, came from Armor Games:
We at Armor Games value your business and respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about a data security incident that may have involved your email and password. We are requiring all affected users to change their password, and recommend that they change this password on any other sites.
What Happened? On Oct 24, 2014, we discovered that a third party obtained access to our users’ emails and “hashed’ passwords. That means that the passwords were encrypted in such a way that it is nearly impossible for anyone, even us, to read it. However, on Oct 24, 2017, a security researcher informed us of a file containing emails and plaintext passwords which claims the data had come from us (Armor Games) and another company (Coupon Mom). We are investigating whether we are the true source of the breach, since the number of leaked emails/passwords is far less than the number of emails breached on either our system or Coupon Mom’s system in 2013. Our users’ passwords were hashed (this makes it unlikely that they could extract plaintext passwords from our data), and some users are reporting that their passwords were included in this breach though they have never used either site. As we investigate the source of the data in this file, we are taking the precautionary measure of treating this as a data breach of our own users.
What Information Was Involved? The information in the file contains 11 million emails and plain text passwords. No financial information, names, addresses, or game data was contained in this document.
What We Are Doing. After the original discovery in Oct, 2014, we promptly hired a security auditor and implemented all their recommended changes as we investigate the matter, and notified our users. Today, we are notifying all affected users again, requiring that they change their password on our site, and recommend that they change this password on other sites. Furthermore, we are instituting new policies and code to further protect our users’ data.
What You Can Do. We recommend changing your password on any site where you’ve used this or a similar password. On particularly secure accounts, like your email login, we also recommend enabling 2-factor authentication.
When choosing a new password, we recommend that you avoid choosing a minor variation of your previous password. For example, don’t just change your password from “favoritehero832” to “favoritehero833”. Choose from random letters, numbers, and symbols such that the exposed password cannot be used to help guess your new password.
For More Information. Please email us at firstname.lastname@example.org for more information. If there are further developments that require additional action from you, we will send you updates about your situation.
ArmorGames sincerely apologizes for the inconvenience and concern this incident may cause, and remains committed to safeguarding the personal information in its care.
I suppose, if writing this letter/email, I would have begun with apologies first. But that might be premature. After all, Armor Games wants me to understand the full extent of what they are apologizing for. I am tempted to write the perfect letter. Oh wait, I already did that!
Here is a blog entry I encourage you to read. It covers creating secure passwords and more.