#Password Security

We Take Your Privacy And Security Seriously

  1. By Devanand Premkumar
  2. No Comments

16 Aug

We Take Your Privacy and Security Seriously

We Take Your Privacy and Security Seriously

Have you ever heard major corporations claim, “We take your privacy and security seriously,” before they unveiled that your data has been breached by threat actors or hackers? Well, these vague and half-hearted statements would have meant more if these corporations and bodies had taken more steps to ensure that user data was secure and safe.

The majority of modern corporations rely on generally accepted and widely used password storage methods that can be exploited by modern era hackers.

Let’s take a look at 10 data breaches, and see how these corporations reacted under duress.

Data Breach Notification

An email usually arrives a while after news breaks about the information breach. The email format is also generic and most follow an identical pattern. The author will inform the name of the company(as if you didnt get that from the email) and how it serves you oh so well!

It then goes on to mention the incident in the least detail possible. Your understanding of the email is usually based on what you have already heard from the news and others places.

Somewhere between the lack of information and assurances’ of how much they are happy helping us, the mail would also assure us that “We take your security seriously” (ahem, seriously??).

Then depending on what the company is offering, there might be options to get a reduced rate or a discount or some form of monitoring related services.

While this may not make much sense to people who do not know how breaches can be contained and how forensics can help.

Similarly, attacks and exfiltration can also be reduced if not completely prevented. Most companies hand off their responsibility to their public relations(PR) company or team to issue their letter or an email about something we already know and claim that they care a lot about our security.

This is merely an attempt to dodge responsibility  for other people’s information security.

If they actually took the importance of our information seriously, they would have done something to actually prevent it from being stolen or breached in the first place. Such communications and emails are attempts by very many companies to avoid accountability for their carelessness.

What Did Samsung Have to Say After Users Found Out About Its Unsigned SwiftKeys?

Privacy and Security Seriously Samsung

Yes, giants have always been the number one target for hackers. This is why you expect these giants, such as Samsung, to be on their best. However, what can users do when they find out that their beloved smartphone company had been using unsigned SwiftKeys to record user data? Rage is just one of the things that more than 600 million users felt when Samsung claimed, “We take security very seriously at Samsung,” while admitting to using vulnerable protocols.

More than 600 million devices were put at risk when one of the users pointed out that Samsung was using un-trusted third-party certificates and keys to store and manipulate user data on devices. This seriously questioned their integrity and loyalty towards customers.

Moreover, Samsung merely opened up an investigation that led users to square one at every round. The company never truly apologized for its actions and kept offering redundant PR statements to shove everything under a blurry rug.

Did Experian Handle Its Data Breach Well?

Experian, one of the giants in the industry, is no stranger to unwanted attention and hackers. Well, one would think that the company would understand the importance of updating its security protocols, but one could be wrong. The data breach was handled rather poorly, and one of the press releases from Experian stated, “We take privacy very seriously, and we understand that this news is both stressful and frustrating.” Well, suffice to say that users were not pleased.

The hack basically targeted user information from T-Mobile and Experian, as T-Mobile uses Experian to process all of its credit applications. This breach led to an exposure of over 15 million unique customers, and a simple statement was not enough. According to analysts, the encryption methods used by Experian were subpar and outdated, to say the least.

How Do You Sell Breached Data of Westnet? Online!

One of the users on Twitter found out an online ad about user information for more than 30,000 Westnest customers on the dark web and tweeted it. That is when one of the biggest internet providers in Australia found out about its own data breach and casually said, “iiNet takes the privacy and security of customer information extremely seriously…” Good to know.

The data was being sold online, and the company itself didn’t know about the breach. However, later on, the chief information officer claimed that he knew about the vulnerability, and was in the middle of taking the appropriate measures to prevent any further data breaches.

However, it was too late, and the Australian internet users were outraged by this. Moreover, they were also furious that they had to find out about this from a tweet rather than the company itself. The sensitive information of more than 30,000 users was leaked, excluding the payment details.

Who Handles the Case When OPM Is Hacked?

FBI handles the majority of sensitive data breaches, and OPM is one of those sensitive cases that the FBI handled. Poorly. The original statement read, “We take all potential threats to public and private sector systems seriously…” Well, if that had been the case, the Office of Personnel Management would never have been exposed to the same Chinese hackers who got to the Anthem’s non-encrypted database.

According to a lot of users and analysts, this was a pre-calculated attack, and Chinese hackers are building a vast database of American federal employees for future targeting. Well, if OPM knew about this, why weren’t proper measures taken, and why did the FBI release a rather robotic and generic statement that had been used since the times of Cain and Abel.

This went on to show that even the FBI was a little hesitant and unsure about the origins of attacks and how to prevent them. A vague statement is never a good sign of confidence, and federal as well as public employees were outraged at this attack.

Did eBay Handle Its Data Breach with Elegance or Stupidity?

Stupidity and vague statements are the right answer here. You must wonder that giant corporations must be able to handle everything with elegance and have the audacity to tackle such issues with great professionalism, but you are wrong. When eBay found out that more than 145 million users and their data were breached, it said, “We take security on eBay very seriously…” Good!

Rather than offering a clear-cut explanation of what had actually happened, eBay merely encouraged the users to change their password and refrain from using the same password on multiple sites. Users were confused at first, and when the data breach was finally confirmed, the users were enraged, to say the least.

According to analysts, hackers got access to private information, such as date of birth, credit card information, purchase history, addresses, and more for more than 145 million users within a matter of a few hours. This could have been avoided if eBay had paid more attention to its encryption in the beginning.

What Else Did GAANA Expose Users to Other Than Songs? A Data Breach

GAANA is perfect for relaxing to your favorite music and spending some time listening to your favorite artists. However, how do you relax after knowing that your private information is at risk, and all GAANA will ever offer you is, “Finally, security is a major focus for us, and we are further strengthening our user security team.”

Imagine listening to your favorite songs and getting a tweet that your data is now in the hands of threat actors who intend to use it for malicious intents. Well, not a good moment. Do you want to know the worst thing about this data breach? Well, according to the Pakistani hacker, Mak Man, the data was not downloaded but was being queries in real-time, and it included hashed passwords and other information about 10 million users. Fun!

What further enraged the music lovers was the owner of this app stated that the data was hacked, but not comprised. If you want more, you can read all about it on his embarrassing tweet chain regarding this incident.

Did Adult Friend Finder Lose Its Data? How Did It React?

We are all aware of and have used the Adult Friend Finder at one time. Right? Don’t look away from your computer now. Back in the day, Adult Friend Finder was all the rage before the modern dating websites replaced it. However, it also became a target for hackers, and over 3.9 million individual users were exposed, and all the company had to say was, “Protecting our members’ info remains our top priority.”

According to the targeted users, it was not enough. One of the worst things about this breach was that even old, supposedly purged accounts, were exposed and this went on to show that the company never actually deleted used data. It was one of the worst data breaches of its time, and it also led to an untimely demise of the website.

The users wished and wanted that the company had done more to protect the identity of the users. Moreover, the users also demanded an explanation regarding the purged account that still existed on the company data.

What Happened with Ashely Madison Data Breach?

Believe it or not, dating websites are one of the favorite places for hackers, and the majority of modern data breaches have been through dating applications. In 2015, Ashely Madison became a target for hackers, and millions of people complained that the data had been breached, but the company denied any knowledge of such an attack. Later on, it admitted to the attack and offered a lame apology to the users.

The Ashely Madison’s brilliant PR team came up with a golden gem, “We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place…” This did not suffice. Not only were the users enraged, but they were also extremely furious with the way Ashely Madison handle the password security protocols.

Moreover, what was even worse about this breach was the company lied to the users. The breach was conducted through a feature “full delete.” According to the company, if you pay a handsome amount of USD 19, it will erase all your information from its servers. However, even after earning USD 1.7 million, the information was still there. This further infuriated the users, and it went down as one of the poor breach notification samples.

How Did the Health Insurer Anthem Handle Its Data Breach?

After Anthem lost 80 million sensitive user records, all it had to say was, “We take info security seriously…” rather than admit its mistake and take ownership of the vulnerability. The tweet by Anthem went down as one of the worst and poor breach notification samples.

One of the worst things about this breach was the HIPAA already informed the health insurance to encrypt the database. However, Anthem did not heed this warning and decided to move forward with the non-encrypted database. Later on, hackers got access to more than 80 million different employee and customer records within a matter of hours and cleaned house. Rather than admitting their mistake, Anthem merely tweeted to their millions of users that they take user information and security extremely seriously.

This showed that Anthem did not care about its users and was merely trying to shove the whole incident under a rug by offering a half-hearted apology. Anthem could have listened to HIPAA recommendations and encrypted the database within the timeline. This could have saved them from embarrassment and could have also saved 80 million users from having the records fall into the wrong hands.

How Did IRS Handle the Data Breach?

Privacy and Security Seriously

IRS announced their data breach with a hyperbolic apology that stated, “The IRS takes the security of taxpayer data extremely seriously, and we are working to continue to strengthen security…” Well, IRS came up with this rather vague and superficial statement after 334,000 taxpayers lost their sensitive information to hackers.

One of the worst things about this case was that the government explicitly knew about this vulnerability, and did nothing to resolve this issue before the breach. What irked users, even more, was the half-hearted breach notification process that looked more like an informative piece rather than an actual apology.

Taxpayers were not only enraged but also believed that this event could have been easily avoided with a timely response. What IRS could have done better was to present the information in a more humane manner rather than simply drafting up a boring, redundant, and robot-ish letter.

Conclusion

If we understand anything from the cases above, it is how to handle the breach notification process properly, and how not to go down in history among the poor breach notification samples.

Even major corporations slip up from time to time, but the way these corporations handle the situation matters the most. Admitting to the mistake, adapting the most powerful safety protocols in the first place, and apologizing to the users are among the most important elements of handling data breaches.

However, as you can see, all the companies above started their redundant and pre-rehearsed PR statements with vague statements designed to take users into confidence without showing an iota of true remorse of apology.

This has negatively impacted the reputation of these companies, and if corporations don’t change their behavior towards data breaches, such statements will continue to enrage users in the future as well.

As an end user, we should also take proper care of our own accounts. Best practices on password security including setting account security following on the guidelines on NIST can help us a lot.

Getting hacked causes problems long after you get what you wanted from an online website.

For the people running these sites, it hurts their company’s reputation permanently and many may not even forgive you for the mishap.

Our data is important and should be safeguarded by companies that we share it with. However, all our online data is at risk of being hacked, stolen, exfiltrated on a regular basis. This has damaging consequences for all of us, particularly as these incidents are increasing over time. Any information is not safe online, data breaches occur frequently and leave our personal and financial information exposed to fraudsters and miscreants.
 
I sincerely hope that there will be more companies who give out such statements with the real intention of safeguarding the privacy and security of customers seriously, rather than just a defensive statement to hide behind.
 
Please let me know in comments below, if you have come across any such poor data breach notifications.

References

No Comments
TAGS :