My personal data was compromised, .......
Last week I got a notification from an online company that my personal data was compromised.
Dear ........, we are writing to let you know that we recently discovered that some user data was compromised as a result of unauthorized access ......
The message came from a company founded by 2 former Facebook employees. The company shows a few similarities with the early days of Google and Facebook, where a lot of folks wondered "how are they ever going to make a profit." Well, both Facebook and Google have shown how to do that - DATA. But have they learned their lesson(s)? The lesson that the DATA brought to them by, delivered by, constructed by, generated by YOU and ME is based on a TRUST model.This company is known as a global web forum type application for Questions and Answers, and I must admit, the kind of answers you find on a high variety of topics is sometimes mind-boggling, inspiring, helpful to satisfy the question or the curiosity at hand. So far, so good. But what about that lesson of TRUST, what about all the USERS who make that available? This company has received 160 million US$ of angel and venture capital injections and seeds, because of that monetary TRUST from investors, because of that TRUST of the 200 million unique visitors per month (so they claim), because of their business model and vision on future advertisement revenue, the company is valued at 1.8 billion US$.
What facts can we consider as being "good or reasonable" here during that data breach?
1) The fact that the USERS get informed about the breach I consider that as a good thing (I am sure the company did not take pleasure in pleading mea-culpa, but they did communicate), that somehow does create sympathy among the USERS, the fact that they are transparent about it, also make this company a victim (sort of we are the same boat together idea).
2) The information provision on what happened (unauthorized access) and when (November 30th), and what they are doing about it (further investigation, measures), I consider that to be to the point, clear and professional.
3) The course of action, the company also provides the USERS with some options on what to do.
3a. They provide for example the option to delete my account (but clearly state it does not change the data breach, as that has already happened).
3b. They provide the option to reset my password (which is always a good idea and good practice).
3c. They provide the option to provide me with all personal data the company has available on me (GDPR) .... (and the right to be deleted, see option 3a.
4) The MTTD (mean time to detect) was reasonable, November 30th detected, December 4th informed. 5 days between detection and information.
What can we consider as "bad or mediocre" at best from such a data breach?
The fact that this online web platform (or forum) was breached in the first place I consider that as a disappointing surprise, but then again I do understand that there is no 100% prevention or stopping these breaches.
What I find bad is the fact that not all my personal data was encrypted, my password was encrypted, so why not my email account? Why not my social platform identity? The founders come from Facebook, surely the former Facebook CTO must have seen Zuckerberg appear before committees and make a not very smart impression to the world. So I am calling upon Mr. Adam D'Angelo to show the over 100 million USERS that he has learned from the Facebook drama.
The other troubling fact is the "connect option" with your Facebook or Google identity, that would imply that these records (by virtue of the connection) are also breached. So we are now talking maybe about over a 100 million x possible 3 breaches. Now we are talking about a technical TRUST issue. I trusted my login and credentials via the "CONNECT WITH YOUR .........<existing> ACCOUNT". In my opinion, this where one of the real dangers lie, trusted connections, trusted authentications. In this day and age, with that many breaches going on, mhhhhh ...... also a wake-up call for people in the security business.
What I find pretty ballsy is the fact that the company offers to supply everyone's personal data within 72 hours after confirmation of the receipt of the request. We are talking about over 100 million USERS (unique visitors per month). I am sure the company has thought about this (about the probability ratio of people coming forward, the number of expected USERS who will be calling them out to deliver, some caveat language like AFTER CONFIRMATION OF THE REQUEST ......)
So I am going to call them out.
I will request my personal data, and based on their reaction, their communication, the delivery, the speed, the promise they made...... I will determine if they earn MY TRUST or not.
Over the last couple of weeks we could read in multiple blogs on our website that companies are being breached (SHEIN, BA, TICKETMASTERS, MARRIOT), we read about it ever more frequent, and it seems that if you are not > 100.000 breached records you are not hitting the news, not going viral. The part which is starting to make me wonder and think (after being victimized myself) is how do companies protect themselves? Do they protect themselves in the first place, and if yes, to what extent? Is it the cover my ass principle to avoid any lawsuits or GDPR penalties, making sure they have done in lawyer talk "any reasonable" measure to. OR have they truly understand that the TRUST of their DATA suppliers is the essence of the new business model?
So if DATA is the new digital FUEL for the economy, TRUST has to be the oil. And when it comes to trust, there is an old saying in many languages:
TRUST comes on foot, and leaves per horseback. So you better do something and re-think your security measures, policies and think about this one question "what would happen to us as an organization when our data would be breached and popped up in the news"?