The media are certainly becoming more sophisticated at reporting on data breaches and web site hacks. And as that happens, corporate communications departments are freer to craft ever more sophisticated messages about a breach/hack involving their organization. The new goal is to attempt to describe the organization as just the latest victim of an on-going attack on everyone. I’ve already written about how South Carolina’s data breach rode on the coattails of Federal warnings of a “Cyber Pearl Harbor”. (see that post at http://wp.me/p2Ob8g-13 ).
But whereas coverage of South Carolina’s breach was all about how it might have been an invasion by a nation state (turned out to be just common criminals), Twitter’s most recent hack announcement takes a different approach. Twitter announced the fact that some of its user data had been breached by putting the news on a blog entry with the Orwellian title: “Keeping our users secure”. Then they spend the first paragraph of the announcement describing how dangerous it is out there. They remind us that
The punch-line comes in paragraph two. Twitter would like you to know that just like respected institutions like the New York Times and the Wall Street Journal, they too have had a systems breach. They go on to tell us that the approximate number of users impacted is 250,000 and paragraph three deals with how Twitter has already notified the individuals.
But really, we are assured, that’s not the point of this announcement. By paragraph four, the breach is minimized: “Though only a very small percentage of our users were potentially affected by this attack, we encourage all users to take this opportunity to ensure that they are following good password hygiene, on Twitter and elsewhere on the Internet.”
Some very good advice on managing passwords follows (citing the FTC). It is good to see the FTC guidance on this being brought up and it is good to see the FTC seems to be relying on the NIST 800-63-1 guidance.
The announcement ends with the statement that. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.” And for this reason, raising awareness, we at Twitter are publicizing our breach.
It should not be the rule that “no good deed goes unpunished”. But really, Twitter? You have helped redefine the phrase “news travels fast” and you just sent a quarter of a million of your users an e-mail saying their information may have been compromised. While I am sure you want the Internet to be a more secure place, your announcement must also be seen in the context of keeping ahead of the story. You, Twitter, as the Coke without a Pepsi competing with you (yet), really cannot afford a hashtag that read #beenhackedlasttweet. Especially from some of the celebrities that make you so valued in Cyberspace.
The way to keep ahead of the story, it would seem, is to remind people that organizations that are hacked are victims, that we are losing the war with the hackers and that our best efforts may not be good enough. And the corporate communication community is getting wise to this approach. Consider the recent breach announcement from Froedtert Health in Wisconsin: “Unfortunately, such computer attacks are increasingly common, affecting organizations worldwide.” And, as if they hired Twitter’s head of communications, the Froedtert people assure the public “that fewer than three percent of the files might have contained Social Security numbers.”
Information Security professionals have always known that their safeguards are not perfect and everything from the recent Presidential Directive on CyberSecurity to the press releases listed above indicate that this is becoming more common knowledge. But we distinguish between an organization breached on day zero of a Zero Day Attack and one breached 18 months later because the organization is a “bit behind” in their patching.
And that’s the information that breach announcements have yet to reliably provide. I think the public is willing to understand that sometimes data get breached. But I don’t think “it’s happening to everybody” has automatic relevance in a breach announcement unless you demonstrate that the breach was somehow related to new, unpreventable attacks. Imagine if the Twitter announcement were from an airline: “Within the last two weeks, Airline X and Airline Y have chronicled breaches of their airplane’s fuselages. We at Airline Z have recently found breaches in a small number of our planes. We urge all air travelers to make sure the planes they are on practice good metal fatigue hygiene. Passengers should check that the area around their seats when they board a plane meets FAA standards for measuring metal fatigue (http://www.faa.gov/aircraft/air_cert/design_approvals/transport/aging_aircraft/media/RepairAssessPressFuselFinalRule.pdf ).” The first question you would ask is “how are the events on these three airlines related if at all? type of plane? type of inspections? regulatory approval process?”
Ultimately, this must all be seen as a transitional phase. Eventually, the public, the government and the organizations that store data will come to a general understanding of what constitutes negligence in caring for confidential data and what constitutes bad luck.