It seems now that not a day goes by without some kind of data breach, vulnerability, leak etc. It is really concerning that despite A+ marketing, including mentions of "bank-grade", "military-grade" and "unhackable" systems, organisations are seemingly compromised regularly which demonstrates that we all still have much to learn about cyber security. I'm someone who tries to keep up to date with the latest news regarding breached companies, and whilst the consistency of breaches is concerning, I actually find that the average response of affected organisations to be the most troubling aspect. Whilst there are many who own up, apologise, accept responsibility and ultimately do the right thing, there seemingly is a greater number who operate from the (unwritten) industry standard, hack-handling playbook. These set of instructions seemingly don't pay too much attention to how compromised data can gravely affect the end-user who has the misfortune of having their data stolen through no fault of their own, and I'm going to address the tactics that I find most egregious.\n\nEn Vogue\n\nExploited vulnerabilities are currently the popular kid in school. They get so much attention, and judging by the potential they have to significantly affect peoples lives is a very good thing. Much like with anything that is popular, many want to capitalise on the exposure, like touting how secure one's system is, offering tips, and bragging about how they have been audited by significant bodies. Cyber security can be harnessed for Search Engine Optimisation, as people will likely be searching for terms like "Ransomware", "Malware" and "Card Skimming" in light of attacks that have been reported by wider media. Ultimately, there are many more people out there who are looking to protect themselves in the wake of seemingly increasing attacks on organisational infrastructure and their data. We do live in scarier times.\n\nThe problem with anything that gains notoriety is that you potentially expose yourself more to any negative connotations that arise when something bad happens. Surfing the peak of the wave can be hugely beneficial, but in the case of cyber security, when YOU are hacked, WIPEOUT! This is why it is integral that you understand cyber security beyond using it as a marketing tool you can wield in the days when your organisation hasn't been exposed publicly in a breach.\n\nOne of the BEST pieces of advice I ever received as a developer was provided by a cyber security expert at a client office, where I was advised to "design my software with the assumption that it will be successfully hacked" as it would significantly affect the design-decisions that I make. This forces you to think about the data which is exchanged across your endpoints, how it is protected (authentication, authorisation, encryption in transit and at rest etc), the database roles required and the data these roles can access, as well as the permissions your software has at start-up and at runtime (especially important as to quickly get up and running, many organisations run their software as ROOT Admin i.e. God-mode 😲😳🤫). The Cyber security expert went on to tell me that "you may not ever get hacked, but approaching software development with a defensive mindset will significantly limit the damage an attacker can inflict, and may even keep them out entirely". This was an interesting take that has lived with me ever since.\n\nA lock used for security by design\n\nFor me, this is a cultural thing that needs to be spread across organisations. It also doesn't just apply to companies that develop software, as if you are using ANYTHING with software you need to be EXTREMELY MINDFUL of the threats that exist out there. Staff should be educated regularly, and this shouldn't stop at the "watch out for suspicious emails" and "don't click bad links". Yes, remind them about this, but there are far more risks that exist out there that they need to be mindful of. Include password reuse and help them set STRONG passwords, not ones that just conform to stupid password rules which are stupid.\n\nStupid Password Rules Are Stupid\n\nEducate them about HTTPS and why it is important. Explain to them that they should lock their machines when they step away, not because "this is company policy", rather show them that if open, EVERYTHING they can access is potentially accessible by someone else.\n\nPut in place ROBUST IT systems and support that provides them with the software they need quickly to prevent them from circumventing policy and installing software from the internet. Let's be real here, if your IT support is terrible, people will work around it no matter what legally-binding policy that you write, potentially opening up your organisation to REAL security risks. Finally, encourage your staff to report any vulnerabilities they find and ACTUALLY do something with the reports. Keep the person in the loop so they are encouraged to bring more issues to your attention. Communication is KEY, and if you act poorly, you will lose potential allies within your organisation.\n\nHave My Details Been Stolen?\n\nIf you are worried that your details have been stolen, you can check the huge database of known breaches Have I Been Pwned. If any of your accounts appear, make sure you change your password! Also, please make sure in future that you don't use the same password for different sites, as it makes it easier for attackers to access the other services that you use. Can't remember tonnes of super secure passwords? Use a password manager 😃.\n\nHave I Been Pwned\n\nWorst Case Scenario\n\nSo what if our worst fears are realised and your systems are hacked? In this scenario your integrity as an organisation will be under intense scrutiny by the wider public, as in most cases when you are hacked, it will include the data of your users and/or clients. You have a duty of care to everyone affected, as ultimately, they trusted YOU (faceless organisations included) to keep their information safe and secure, and unfortunately (for them) you didn't keep your side of the bargain.\n\nHowever, we all make mistakes, that is part and parcel of life and you can recover with your integrity in tact if you approach the situation honestly and provide those affected with the information they need delivered in a way that shows that you UNDERSTAND their situation. You could turn this into an opportunity to grow trust and understanding with your userbase, as well as develop your skills around Cybersecurity. Take your hefty initial loss, and grow it into a longer-term win. For some examples of excellent, transparent responses, see below.\n\nImperva Security Update\n\nCompetitive Pest Services Data Breach: What Happened and How We Plan to Fix It - Competitive Pest Control\n\nLosing a game of chess can bring frustration and also a opportunity to win next\n\nLife is hard, and it can be difficult to admit that you screwed up, but you owe it to those affected (and as shown, there are those of there willing to do this). The alternative, where you obfuscate the issue is the easy way out and makes you look awful in the long term, but unfortunately it seems like a popular route to take. This is probably orchestrated in large part by the Legal and Marketing teams that don't want to admit blame nor company liability. What I find interesting about all of this, is that in many cases, breach responses issued by various companies spread across different industries are SAMEY, GENERIC and if you read enough of them follow a very specific pattern with common beats. In my honest opinion, if you issue a cookie-cutter response like this, you are demonstrating that privacy and security may not be at the top of your priority list. So what do companies do/say with breaches? Read on!\n\nTHE Standard Security Statement that Says **** You to Affected Users\n\nIf you read enough breach notices, you'll see slight variations of the same statement crop up time and time again. Come rain or shine, some breached company will be floating this daft collection of words around for the whole world to see.\n\nWe take the privacy and security of your data very seriously\n\nZack Whittaker writing for TechCrunch actually penned a great rebuke of this stupid amalgamation of drivel a while back that I highly recommend that you read! I really wish that many more company spokespeople internalised the message conveyed!\n\nStop saying, 'We Take Your Privacy and Security Seriously'\n\nFor me, this statement encapsulates so much of what is wrong with security at many organisations at the moment, and it often betrays the actual company ethos when you actually learn what caused the breach! No one wants not needs to hear this posturing, and the fact that it has now been stated AFTER a breach is laughable. It might be true, but the timing is totally off.\n\nAlso, using real-world examples, if an organisation left an important database online without ANY form of protection and access control, which was found using a search engine, can they really say this? (This is so common btw). What about leaving important secret keys on their publicly facing gateway? What about allowing anyone on the internet to browse their file structure? What about allowing the encryption certificate expire for their monitoring equipment for 10 months which when renewed allowed them to straight away see that they had been breached? What about not keeping their internet-facing machines patched and up to date, and running old versions of Windows XP with known vulnerabilities? What about sending other users Personally Identifiable Information and hashed passwords back to a user when they accessed a leader board? What about using the username:password combination of admin:admin for CRITICAL functions? Should this prevent companies from using this phrase? It doesn't btw, but should it?\n\nVariations of this phrase are garbage, and should be avoided at all costs. When a message like this is copy-pasted across so many breaches by so many different companies, it shows that they don't care about their users, and are doing the ABSOLUTE bare minimum when communicating to their users. They should come up with something specific to their organisation and it's purported values, and not use cookie-cutter, cardboard cutout responses. This allows them to show that they actually take privacy and security seriously rather than say so. Just because a lapse of their security lead to them getting breached doesn't mean they have to carry on being bad at security and their response is encompasses this.\n\nLack of Empathy and a Proper "We're Sorry"\n\nA company screwed up, so why don't they own it? Many companies dance around the issue, sounding like AI-Programmed Robots, when all users want and NEED is a simple "We're Sorry". They are dealing with PEOPLE, so sentences like "we apologise for any impact this may cause" are highly impersonal and don't connect on a human level. It would be better to actually apologise, talk to the PEOPLE who have been affected like they are PEOPLE. Sticking to facts like "this breach may have impacted some emails, passwords, addresses, phone numbers" doesn't come close to grasping the full extent of the problem. The company was trusted to look after information, and their inability to do so has helped to break that trust.\n\nThat dear when holding your device after your details have been stolen\n\nEmails and passwords may mean that that other accounts might be hacked due to credential stuffing, and yes they might "recommend that users don't reuse passwords", but we all know password reuse is rife. Whilst that popular habit ISN'T the fault of the breached organisation, they should still acknowledge it and empathise with the time it will take for users to protect their other accounts. Also, when their addresses and phone numbers have been leaked, that is really scary so organisations should empathise with this. When financial details have been leaked, just sticking to "we will provide one year of free credit monitoring" isn't going to help those affected sleep at night for goodness sakes! Users may already have multiple credit monitoring plans due to previous breaches of companies that "take the privacy and security of their data very seriously", so how are is the latest company any different?\n\nFinally, of a company really wants to lack empathy, they can drop a classic "rest assured" into the mix to really "help". What does this mean? They got breached and they are straight away saying that we shouldn't worry about this in the future? Come on now! The world doesn't work like this! Trust needs to be earned back, so let actions do the talking, not robotic, copy-pasted phrases!\n\nMistreating Security Researchers\n\nWhen there is a vulnerability in an organisation's system(s), even if it may not feel like it, the HOLY GRAIL is being alerted by Security Researchers. Penetration testing and vulnerability scanning aren't free (or crap 😰), so if someone comes forward and points it out, the organisation should thank their lucky stars as well as the researchers, fix the issue whilst keeping them in the loop. They shouldn't be ignored, because if they found vulnerabilities so can many others.\n\nThe company shouldn't respond by downplaying the issue with something along the lines of "no one is going to do that", as they someone just has, so what's to stop others from doing it? They will end up publicly disclosing the issue anyway if the organisation buries it's head in the sand forcing them into action, so what's the point? The denier just ends up looking incompetent and have to fix the (now public) issue with the added stress that everyone can easily know about it. There are cases where organisations threaten, discredit and even try and sue! These are all stupid actions that will contribute to a Streisand-effect, and will lead to a LOT of FREE PENETRATION TESTS from around the globe!\n\nA strong example of questionable behaviour was when a Security Researcher contacted the City of York regarding a vulnerability in their One Planet York application. Instead of thanking the researcher, they reported them to the police! In this case, the researcher made no demands, and was purely informing them so they could secure their infrastructure but the council weren't taking any chances haha! After the researcher's company responded, feedback from the security community AND the police publicly stating that they welcomed the researcher's contributions, the council relented and tried to justify the course of action they took.\n\nYork Council app Users Hacked: Nearly 6,000 Affected\n\nOne Planet York: Data Breach Update\n\nHe Alerted York Council to a massive Security Flaw. They reported Him to the Police\n\nIn life, it isn't wise to try and throw someone under a bus who is just trying help you. Just thank them, admit your fault, take corrective actions, learn from the ordeal and your mistake and move on.\n\nUse of the Dreaded Word "Some"\n\nIn all hack responses issued by any company, nothing makes my blood boil more than the use of the word "some" or even "a small number of" when describing the amount of the data exfiltrated. When companies drop "some" into disclosure, they are effectively saying that an unknown amount data has been taken that affects an unknown number of users. However, there are "some" companies that use the dreaded "some" to supplement a stated number of affected users, which can come across as downplaying the issue, especially when the number, whilst being low when compared to the total number of users on a given platform, runs into the tens of thousands and MILLIONS!!! That's really pushing the meaning right there!\n\nEven if the data of two people is included in a data breach, that is two too many people who's data has now ended up in the wrong hands and who will now be understandably quite concerned, anxious, and even scared. They should be treated with respect that they deserve and treat the breach of their data with the same candour as if ALL users were affected. Organisations should be honest with the numbers when known and explicitly state if figures are unknown, i.e. say something along the lines of "we don't know at this time" rather than "some". There should be empathy, and they should do everything they can to inform users allowing them to make the correct decisions. Organisations are doing their users a disservice, and at times even putting them at risk when trying to downplay the extent of a breach with the NASTY word "some", so they should try their best to not use it.\n\nDownplaying the Importance of the Data Lost\n\nOne thing that really irks me with the (standard cookie-cutter) company breach responses is when an emphasis is placed on the fact that no financial information was affected straight after announcing that emails, passwords, date of births, addresses, email addresses, telephone numbers (i.e. sensitive PII) have been stolen. So whilst an attacker cannot straight away use my card details on Amazon or eBay to purchase a new garden set, they can easily find out where my garden is, ring me up, spam my friends and family, and potentially use the details to open up other accounts in my name! Great, thanks!\n\nHow Fraudsters Can Steal Your Personal Information\n\nWhat Can a Scammer Do with My Address and Phone Number?\n\n5 Ways Your Email Address Can Be Used Against You\n\nThere is so much that scammers can do with "just" this non-financial information, like commit a "small" thing like identity fraud. So due to no fault of my own, I get the pleasure of scammers (potentially) impersonating my boring self. Looks like I'm going to sleep like a baby tonight! Also, because many services use email as the identity element, this means that attackers can now use credential stuffing (with the leaked password) and/or plain ol' brute force techniques to crack accounts. If users have reused their passwords (not the fault of the breached company, but it is a common issue), then this will provide attackers trivial access. BRILLIANT!\n\nCredential Stuffing\n\nBrute Force Attack\n\nPerson sad that "ONLY" their personal details being stolen\n\nSo because users have made the mistake of trusting the (now breached) company, they now have to worry. They didn't share their password with someone else, or leave their device unlocked, or send these details to someone else by mistake, they were sold a product/service by an organisation, told that security was covered and note their sensitive personal details are floating around the internet because of that trust. To add insult to injury, the company also has the audacity to insinuate that because no financial records were taken, it isn't THAT BIG of a deal. that's like shrugging your shoulders and saying "Hey! It could've been worse" 🤷♂️.\n\nAgain a lot of this covers back to speaking to people like they are human beings, and putting the PR-BOT 2000 back in cupboard where it belongs. The company didn't live up to their side of the bargain, so they can at least emphasize with the PEOPLE that they have failed to keep safe and secure. The representatives behind these press releases need to put themselves in the shoes of the PEOPLE affected and think about how they would feel reading messages that come across as so generic and uncaring. It always shocks me that these responses are actually written by actual human beings because they can come across as so robotic. Don't say that you care, actually care!\n\nTaking Privacy and Security Seriously\n\nCyber security is currently a popular topic, and many different stakeholders are investing in it. Unfortunately we seemingly have an issue where once breached, many companies try to save face as much as possible and provide very little information using very impersonal language. This is detrimental to the end user who only made the mistake of trusting the company with their data in the first place. Hopefully as cyber security becomes more normalised, responses to breaches will have more of a personal touch, and allow affected users to take the required steps to protect themselves. A man can dream!\n\nTake care and all the best. Si.