Last week, The AA in the UK came spectacularly undone when attempting to cover up a data breach. I wrote about them while describing The 5 Stages of Data Breach Grief but in short, they consciously elected not to notify subscribers after being alerted to the disclosure of 13GB worth of publicly accessible database backups back in April:
— Troy Hunt (@troyhunt) June 26, 2017
They then sought to play down the severity of the exposure by claiming that no credit card data was compromised:
Which was completely and utterly false:
— Graham Cluley (@gcluley) July 4, 2017
Inevitably, as I foretold in the data breach grief post, The AA was left with no other option than to own the incident and come clean which they did by the end of the week:
— Graham Cluley (@gcluley) July 7, 2017
But this post is not intended to be about The AA, rather that their behaviour is part of a more alarming trend: data breach cover-ups. I was prompted into writing this today after watching a series of tweets from followers in India about a massive breach involving Jio, a local Indian telco. Over the last 24 hours, a site had emerged allowing anyone to search for data that forms part of an alleged 120 million record haul and by all accounts, the data is authentic:
— Indrajeet Bhuyan (@Indrajeet_b) July 9, 2017
This Jio data leak is real. Has my data as well. https://t.co/uU9gbBQhuc
— Kiran Jonnalagadda (@jackerhack) July 10, 2017
— Binoy Xavier Joy 🛰️ (@binoyxj) July 9, 2017
There’s also a Reddit thread with many people commenting that their data on the site was legitimate. Within the discussion on that thread is a reference to the data being listed for sale a few months earlier on a notorious dark web marketplace:
Except that Jio is denying the authenticity of the data:
We want to assure our subscribers that their data is safe and maintained with highest security
It’s too early for me to be emphatic about whether this does indeed constitute a legitimate breach or not, but the language of the organisation in the face of evidence to the contrary is, per the title, alarming. And again, this forms part of a pattern that we’ve seen play out many times before, not just with The AA.
For example, in December last year PayAsUGym was strenuously denying the presence of card data in their breach and again, this was despite damning evidence to the contrary:
Question for folks in the UK – does “credit card information” mean something different there to what it does here? pic.twitter.com/IEBNa49cO5
— Troy Hunt (@troyhunt) December 19, 2016
Only a few months earlier, Regpack refused to take responsibility for losing 324k payment records complete with credit card CVVs. In fact, they were very clear that the data had not originated from them:
we have run the full security protocol implemented in these cases and conclusively determined that our servers were not involved
A day and a half after me writing about it, their tone changed rather dramatically:
We identified that a human error caused those decrypted files to be exposed to a public facing server and this was the source of the data loss
Yet even after the incident, they continued to claim that their security was “bulletproof”:
Earlier in the year in April, the Minecraft community known as Lifeboat was hacked, an incident I brought to light after someone handed me 7 million accounts including passwords merely hashed with MD5 and no salt. They actually knew about this incident but elected to cover it up for what we in the industry call “a bullshit reason”:
When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act
That was a particularly alarming case given the scale of the incident and the acknowledgement of a conscious cover-up. However, Lifeboat didn’t seem too perturbed by the breach and instead later boasted about how competitor service Leet didn’t have as big a data breach as they did:
These incidents are more than just mere mistakes on behalf of the organisations involved. They’re not oversights or miscommunications, rather they’re deliberate attempts to at least downplay and at worst outright deny that an incident has occurred. Whilst focusing on self-preservation, the individuals who entrusted their data to these organisations were left exposed, vulnerable and as we’re seeing with Jio, confused.
I’m presently looking at a number of other incidents very similar to The AA where there is documented evidence of data having been exposed then obtained by third parties and the impacted organisation notified yet customers left in the dark. Some of these are very large organisations which will likely face a similar fate to that of The AA.
I’ll end with some practical advice for any organisation contemplating following in the footsteps of those above: regardless of your jurisdiction, regardless of any mandatory data breach disclosure laws and regardless of whether or not you believe you’re legally compelled to advise customers, consider the consequences if you don’t and they find out you withheld information from them. Of course, companies should want to do the right thing by their customers in the first place, but as is very clear in the examples above, some of them need a helping hand to come clean.