Yahoo: Do nothing and pray it goes away
Why are we surprised at this?! When Yahoo suffered a breach in 2013, it decided to just keep quiet about the 3 billion accounts that were compromised. Surely this would prove to be an effective strategy?
The news broke a whole FOUR years later, in 2017, that 3 billion accounts had been hacked, which is more than the company claimed in 2016, which is the first time anyone heard anything about a data breach. We shouldn’t really be surprised, as “do nothing and pray it goes away” has been Yahoo’s MO for quite some time now.
FriendFinder Networks: Take days to respond and then downplay the incident in a vague press release
FriendFinder Networks is a company that you’d reeeally want to keep your data secure. It operates AdultFriendFinder, a “sex and swinger community,” and when it suffered a breach in 2016, the response was slow and the press release was tepid. The company affirmed that it “” and appeared to put most of the onus on the users, commenting that it would contact users “to provide them with information and guidance on how they can protect themselves.” Seriously?
This press release came after days of speculation, which is actually forever if you are a user of an adult website waiting to find out if your data has been made public.
Equifax: Fail to patch software, take forever to disclose breach, let execs sell their shares
Equifax has one of the shadiest timelines of this group, and competition was stiff here!! After failing to patch a known vulnerability in March 2017 in widely used open source software Apache Struts, the data of 143 million US customers was potentially exposed in May 2017. Then on July 29th, days after the breach was discovered, executives sold off nearly $1.8M worth of Equifax shares. Hmm….this looks bad, but maybe there’s something we don’t know here. (Read: there’s not. It’s bad.)
Ticketmaster: Pretend it’s not happening
Ticketmaster was alerted to a possible breach in April of 2018, but decided to do its best impression of an ostrich and just pretend it wasn’t happening until it received apparently irrefutable (or un-buryable) evidence on June 23rd. Online bank Monzo released a statement shortly afterward saying it spotted the breach in April, but Ticketmaster said nah after an internal investigation revealed no evidence of any such breach.
I’m confused. Are we just letting companies investigate themselves now? This is not how any of this should work. Anywho….
Facebook: Deny deny deny
Facebook didn’t suffer a breach. Instead, it voluntarily gave away a treasure trove of user data and then informed us that we had all agreed to it in the terms and conditions. Whoops – we should have read those, but they’re just so boring, and no one can recall seeing a line item that said “we will give away all your data, suckers, and there’s nothing you can do about it LOL.” I think I would have remembered that…..
Exactis: Leave us all in suspense as if our data’s safety was a plot point in a Mission Impossible movie
But even worse, the company associated with the breach has stayed silent for days, which is deeply bumming out 230 million of us who would kindly like to know if our personal information is available online.
The bottom line
Data breaches are inevitable. Attackers are targeting companies on a daily basis. But ignoring the fact that a data breach has occurred, failing to patch a known vulnerability, putting the onus of dealing with a breach on users, and – most obviously of all – selling off your stock when you have insider information of a breach doesn’t help anyone. Companies need to be honest when they think a breach has occurred, or they risk losing their customers’ trust. And as our data multiplied exponentially, trust is becoming scarce.