Mastodon

The Alarming Prevalence of Data Breach Cover-Ups

Last week, The AA in the UK came spectacularly undone when attempting to cover up a data breach. I wrote about them while describing The 5 Stages of Data Breach Grief but in short, they consciously elected not to notify subscribers after being alerted to the disclosure of 13GB worth of publicly accessible database backups back in April:

They then sought to play down the severity of the exposure by claiming that no credit card data was compromised:

The AA Shop data issue is now fixed, No Credit Card info was compromised & an independent investigation is under way. We're sorry.

Which was completely and utterly false:

Inevitably, as I foretold in the data breach grief post, The AA was left with no other option than to own the incident and come clean which they did by the end of the week:

But this post is not intended to be about The AA, rather that their behaviour is part of a more alarming trend: data breach cover-ups. I was prompted into writing this today after watching a series of tweets from followers in India about a massive breach involving Jio, a local Indian telco. Over the last 24 hours, a site had emerged allowing anyone to search for data that forms part of an alleged 120 million record haul and by all accounts, the data is authentic:

There's also a Reddit thread with many people commenting that their data on the site was legitimate. Within the discussion on that thread is a reference to the data being listed for sale a few months earlier on a notorious dark web marketplace:

Jio data for sale

Except that Jio is denying the authenticity of the data:

We want to assure our subscribers that their data is safe and maintained with highest security

It's too early for me to be emphatic about whether this does indeed constitute a legitimate breach or not, but the language of the organisation in the face of evidence to the contrary is, per the title, alarming. And again, this forms part of a pattern that we've seen play out many times before, not just with The AA.

For example, in December last year PayAsUGym was strenuously denying the presence of card data in their breach and again, this was despite damning evidence to the contrary:

Only a few months earlier, Regpack refused to take responsibility for losing 324k payment records complete with credit card CVVs. In fact, they were very clear that the data had not originated from them:

we have run the full security protocol implemented in these cases and conclusively determined that our servers were not involved

A day and a half after me writing about it, their tone changed rather dramatically:

We identified that a human error caused those decrypted files to be exposed to a public facing server and this was the source of the data loss

Yet even after the incident, they continued to claim that their security was "bulletproof":

Regpack bulletproof security

Earlier in the year in April, the Minecraft community known as Lifeboat was hacked, an incident I brought to light after someone handed me 7 million accounts including passwords merely hashed with MD5 and no salt. They actually knew about this incident but elected to cover it up for what we in the industry call "a bullshit reason":

When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act

That was a particularly alarming case given the scale of the incident and the acknowledgement of a conscious cover-up. However, Lifeboat didn't seem too perturbed by the breach and instead later boasted about how competitor service Leet didn't have as big a data breach as they did:

Lifeboat boasting of data breach size

These incidents are more than just mere mistakes on behalf of the organisations involved. They're not oversights or miscommunications, rather they're deliberate attempts to at least downplay and at worst outright deny that an incident has occurred. Whilst focusing on self-preservation, the individuals who entrusted their data to these organisations were left exposed, vulnerable and as we're seeing with Jio, confused.

I'm presently looking at a number of other incidents very similar to The AA where there is documented evidence of data having been exposed then obtained by third parties and the impacted organisation notified yet customers left in the dark. Some of these are very large organisations which will likely face a similar fate to that of The AA.

I'll end with some practical advice for any organisation contemplating following in the footsteps of those above: regardless of your jurisdiction, regardless of any mandatory data breach disclosure laws and regardless of whether or not you believe you're legally compelled to advise customers, consider the consequences if you don't and they find out you withheld information from them. Of course, companies should want to do the right thing by their customers in the first place, but as is very clear in the examples above, some of them need a helping hand to come clean.

Security
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals