At the start of March some 50 million people received an email informing them that an online note taking and data archiving service they used had been hacked, and a password reset was required.
The way that the company concerned handled the disclosure of this information was interesting as it displayed a mixture of calm professionalism and schoolboy error.
We have mandatory fire drills. It is about time we have mandatory internet security drills. Make as many mistakes as you can in practice so that when it is game day, you can play like a pro.
What happened?
In many ways the Evernote data breach was little different to the plethora of incidents involving hackers gaining access to member data. Although we are still waiting for the forensic detail of the attack vector itself to be forthcoming, I wouldn't be at all surprised if it turned out to be the work of the same criminal hacking group based in Eastern Europe that has successfully attacked Apple, Facebook and Twitter in recent weeks.
The target being any data that holds a value on the underground online 'dark market' such as intellectual property, research material and, yes, email addresses and associated service passwords. We know that the Apple attack involved a Java browser plug-in vulnerability being exploited on some of its employees' desktops. We also know that the Facebook breach followed employees accessing a 'developer site' which suggests a similar use of a Java zero-day. Although China has been blamed by some, it seems unlikely that state-sponsored hackers would be involved in such blatant criminal activity rather than politically motivated hacktivity. Instead, the finger of suspicion points towards Eastern Europe where cyber-criminality is rife. And really advanced.
What we do know from the email that was sent out is that Evernote's Operations and Security team discovered and subsequently blocked "suspicious activity on the Evernote network" that appears to have been "a coordinated attempt to access secure areas" of the service. We also know that while there is no evidence emerging that any payment information or user content was accessed, user information certainly was breached. Evernote admits that the information accessed included "usernames, email addresses associated with Evernote accounts, and encrypted passwords" although it points out that the passwords were hashed and salted.
The however and whoever of the breach are by the by; if you are not clued up on how to best protect your enterprise against attack, you only have to scan the pages of IT Pro for plenty of pertinent advice from those who are.
No, what's really interesting here is the 'what happened next' process. And what happened next was a quite schizophrenic breach disclosure statement that simultaneously offered good advice while also ignoring it. It provided clarity but also obfuscation, and risked compounding reputational damage in equal measure to protecting the brand.
So what went right, and what went wrong in terms of handling that disclosure. And, perhaps most importantly, what are the lessons that can be learned?
-
AI is helping bad bots take over the internetNews Automated bot traffic has surpassed human activity for the first time in a decade, according to Imperva
-
Two years on from its Series B round, Hack the Box is targeting further growthNews Hack the Box has grown significantly in the last two years, and it shows no signs of slowing down
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
Gumtree site code made personal data of users and sellers publicly accessibleNews Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbersNews Former and current staff at California Pizza Kitchen potentially burned by hackers
-
83% of critical infrastructure companies have experienced breaches in the last three yearsNews Survey finds security practices are weak if not non-existent in critical firms
-
Identity Automation launches credential breach monitoring serviceNews New monitoring solution adds to the firm’s flagship RapidIdentity platform
-
Neiman Marcus data breach hits 4.6 million customersNews The breach took place last year, but details have only now come to light
-
Indiana notifies 750,000 after COVID-19 tracing data accessedNews The state is following up to ensure no information was transferred to bad actors
-
Pearson fined $1 million for downplaying severity of 2018 breachNews The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
