Thinking about incident response
So I woke up to find that uKnowKids had issued a statement yesterday about their exposed database, an exposure that had been uncovered by and reported to them by Chris Vickery.
Regular readers of this blog will recognize Chris’s name by now, as he’s uncovered a number of misconfigured databases that have been investigated by this blogger, Vickery, and Steve Ragan of Salted Hash, including exposures of
- 191 million registered voters
- 19 million voter profiles
- Three Lock Box
- Microsoft careers site
- California Virtual Academies
- Vixlet fan networks
- Patricia Mullen client data
- Hello Kitty
- Virtue Center for Art & Technology
- Nomi, and the one that started this site’s collaboration with Vickery:
- Systema Software.
That’s a lot of exposed personal information that we would not want in the hands of criminals, and thankfully, it was Vickery who uncovered the exposures and reported them to the responsible parties.
So what is the appropriate response when someone calls you to tell you that your database with personal and/or proprietary information is exposed?
The appropriate response, in my opinion, is “Thank you so much!”
And the appropriate disclosure is to tell your customers or individuals that due to a mistake, their data was exposed, but thankfully, a researcher spotted it and reported it to you so that you could secure the data.
Painting the researcher as some kind of “hacker” will only worry your customers needlessly if the researcher is Vickery, who has cooperated with federal and state law enforcement and destroys any data or evidence he downloads once the entity acknowledges the breach and reports it accurately.
Sadly, Steve Woda, CEO of uKnowKids jumped to try to portray his firm as victims of some hacker:
It is with significant personal regret that I share with you the news that uKnow had a private database repeatedly breached by a hacker
Perhaps he thinks that sounds better than to forthrightly tell consumers, “We screwed up and our data and yours was exposed, but thankfully, some good-guy researcher spotted our mistake and alerted us. We are not worried about him misusing your information, given his reputation, but to reassure you, we are offering you….”
In his original communication to this site, Vickery claimed that Woda tried to intimidate him during a phone conversation with “veiled threats:”
In fact, during that very same phone call, Steve Woda tried all manner of intimidation tactics against me. I can only assume that this is because he doesn’t want anyone reporting on the incident. Woda repeatedly insisted that I have acted inappropriately in my response to discovering and alerting his company to the gaping breach.
Furthermore, he tried to convince me that an outlet reporting on the breach could face liability under COPPA (a claim which is, of course, preposterous).
For his part, Woda has tweeted publicly that he made no attempt to intimidate Vickery but did insist Vickery delete all the personal and proprietary information he had downloaded – including screenshots.
From having collaborated with Vickery on numerous breaches, this blogger is confident that had Woda simply asked Vickery to secure and then securely delete the data, Vickery would likely have agreed. His protocol is to only retain data as proof of his claims until such time as the entity acknowledges the claims or doesn’t try to cover them up.
So…. if you’re looking at incident response, think about whether it’s better to just admit you made a mistake that was caught by a good-guy researcher, or whether you really want to potentially alarm your customers by suggesting that you were “hacked” by someone with a track record of being responsible. Suggesting that you were a “victim” of some “hacker” may appeal to you initially from a PR standpoint, but in the long run, customers will respect you more if you just say you screwed up, thankfully, no one was harmed, and you’re taking steps to ensure it doesn’t happen again.
Just my .o2 with my morning coffee.