There is a Serious Lack of Corporate Responsibility During Breach Disclosures

Subject: Data Breach of [your service]

Hi, my name is Troy Hunt and I run the ethical data breach notification service known as Have I Been Pwned: https://haveibeenpwned.com

People regularly send me data from compromised systems which are being traded amongst individuals who collect breaches. Recently, a collection of data allegedly taken from the [your service] was sent to me and I believe there’s a high likelihood your site was indeed hacked. The data consists of an extensive number of records containing personal information.

I wanted to send you what’s been sent to me and give you the opportunity to respond before I notify my subscribers impacted in the incident. Could someone responsible for information security please get in touch with me.

For more on who I am, see my about page here: https://www.troyhunt.com/about

I've been sending this email for years. Its purpose is pretty self-explanatory and whilst it may not be an email anyone ever wants to receive from me, it's a very important message. Yet somehow, it frequently goes ignored. I gave a really good example of this in my Hack to the Future talk at NDC London last year (deep-linked to the Adult Fan Fiction saga):

Nothing has improved since that time and if anything, disclosure is only becoming more painful. Let me give you two recent examples and I'm going to refrain from naming the companies directly as they ultimately did do the right thing.

In the first example, I sent the message at the beginning of this post to their published email address and as with Adult Fan Fiction... crickets. Now, I wasn't actually convinced this company was the source of the breach in question as I couldn't find a mechanism to reliably verify it, but what I did know for sure was that a popular hacking forum was sharing the data with every man and his proverbial dog and alleging that it had come from the company in question. In other words, it's something to be taken seriously.

What tends to happen when I can't get a response from an organisation via their published channels is I take to Twitter and publicly ask for a security contact. Just have a look at the number of tweets in that link and you'll get a bit of a sense of how frequently this happens. I'm conscious that when I send one of those tweets, a sizeable slice of my 150k followers see it and assume the company has been breached so I don't send those tweets lightly. Frequently, there's a segment of those people who do actually know someone at the company involved and are able to put me in touch with them, which brings me back to my first example.

The tweet worked and someone from the company reached out. This was almost 3 weeks after my initial email to them so that's 3 weeks of personal data being abused and possibly 3 weeks of whatever the source vulnerability was still sitting there. 3 weeks! I was frustrated, and I suspect that came through in my message to them:

I actually emailed [your service] weeks ago and never got a response (see attached, it explains the background).

I wanted answers. Not because I was angry at them specifically, but because I wanted to understand what it is that causes organisations to continually ignore attempts to contact them. Why didn't these guys reply?!

It seems that your email to our customer services team was deleted by a user there as they thought it was SPAM.

FFS, seriously?! Now I was really intrigued, why on earth would that message have been considered spam?!

I’m very surprised to hear someone treated that message as spam, it came complete with proper SPF and DKIM records, clearly explained the situation and provided references to verify the legitimacy of the message. Assuming the breach is legitimate, that’s almost 3 weeks that have now passed where your customers’ data has been extensively redistributed and almost certainly abused to their detriment.

My frustration was obviously coming through in the messaging. There's absolutely no reason whatsoever that message should have been treated as spam, someone must have made a conscious decision to ignore it. Turns out they did:

It cleared our strict email filtering, unfortunately it got through to our sales people who deleted it rather than passing it on to myself or others in the IT Team

"Hey, you've probably had a data breach which puts both your business and customers at serious risk and I'd really like to help you ou..." Delete.

As it turns out, the data that was alleged to have come from this organisation... didn't come from them. But it was only after their manual review of it that they were able to confirm it wasn't theirs. They may not have been breached, but they still handled the initial attempt to contact them terribly. Ironically, when searching back through my emails for the communication I'd had with this company, I found a heap of auto-generated emails from tickets created on their system after HIBP had sent them a breach notice (I've got a catch-all and a rule just to file them all). They were an HIBP subscriber monitoring their domain! Yet even still, when the operator of the very service they'd been using to monitor their staff's breach exposure reached out and said "hey, you may have been breached", a human deleted the email.

The next example is from just last week when I received yet another breach. Like the previous one, this one was being actively circulated on a hacking forum so a bunch of people already had it. Unlike the previous one, I was able to quickly verify the legitimacy of the data by checking multiple Mailinator accounts in the "alleged" breach successfully received password reset emails. I sent a similar message to the earlier one above but also included a link to the hacking forum discussing the breach. The message went out as both a Twitter DM and Facebook message and both social media platforms were being actively used. Then... crickets. Again.

A week later I publicly asked for a security contact at the company which resulted in a very confusing response from them on social media. A day later I publicly asked again and finally, someone who knew what they were doing got in touch via email. Again, I wanted to know why this hadn't been taken seriously:

I DM’d [your service] 8 days ago and sent a Facebook DM too, why hasn’t there been a response?

The answer?

Hi Troy, apologies that your tweet did not get escalated through the right channels and thanks for bringing it to our attention.

Gotcha. So, do we blame the front-line social media person? Or have they simply not been trained to deal with incidents like this? Almost certainly the latter and yes, I understand that these folks have to deal with a bunch of junk that genuinely is spam but they also need to be equipped to identify messages that are actually important to the ongoing viability of their business. It's not like we don't have constructs for making it easy to report security incidents either; security.txt is a perfect example and there are now thousands of websites using it.

I'm rapidly losing patience with the lack of corporate responsibility I'm seeing when reporting these incidents. Because my time is sapped by cases like the ones above, it's keeping me from getting on top of so many other ones. This only delays disclosure and increases the impact on breached individuals. Why? Because frequently organisations just don't want to take breach disclosure seriously and that's a very concerning situation.

Edit: Let me address a theme from the comments here and via Twitter, namely that the message I send to companies could be reworded, not include links, include more links, be branded and formatted, have text only, be in red, be in green (ok, kidding on the colours but you see where I'm going on this). I've tried a heap of different approaches over the years and the only consistent conclusion I can draw is that there is no measurable difference between any of the messages. I don't buy the "it might be treated as spam because of x" excuse; these messages are going to published communication channels and meet all technical requirements to pass spam filters. Yes, a human might read and delete the message per the example above, but accountability then needs to lie with the organisation. I emphasised "excuse" because  I want to make sure that in the event of an organisation getting litigious if I publish a breach related to them, that it's their own negligence that prohibited the discussion from occurring privately. I appreciate that staff are trained not to click on links and per other suggestions, a 5 second Google search would quickly establish a degree of legitimacy. Until we have a more consistent approach to things like security.txt (which is awesome, but covers a fraction of a percent of online assets), this is still the best I can come up with and not add massive overhead to my processes.

Security Have I Been Pwned
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals