Jun 29

It wasn’t me! What happens when users are “hacked” but your servers are still secure?

Deutsche Telekom, one of the largest mobile telecommunication companies in the world and the corporate parent of T-Mobile, recently announced that “real and current” consumer passwords were available for anyone to buy on the internet equivalent of the black market.  The precise number of consumers affected was unknown but estimated to be between 64,000 and 120,000.  But if you expected a contrite and apologetic breach response from the telecommunications giant, none was forthcoming.  That is because the company disclaimed ever being hacked in the first place – insisting that any passwords were obtained via phishing attempts or through the use of passwords stolen in other data breaches.

A similar refrain was offered by Twitter when it announced that almost 33 million users had their account data offered for sale by hackers.  There, it was revealed that a hacker was offering to sell individual user passwords on the dark web for just under $6,000.  After the news broke, Twitter issued a blog post that confidently stated “the information was not obtained from a hack of Twitter’s servers,” but rather was the result of user malware or from data taken in breaches of other companies.  Twitter was ultimately forced to lock millions of users out of their accounts and force a password reset.

While both companies assured users that their systems were, indeed, secure, news headlines were quick to put up splashy headlines naming the companies as victims of a hack.  What, then, can be learned from these and similar incidents?

First and foremost, remember that preventative measures are always the key to stopping a data breach before it starts.  Requiring strong, unique passwords with frequent scheduled changes could prevent user accounts from being improperly accessed in the first place.  And, with two-factor password authentication, users can be protected even when a hacker has already gained access to their current password.

Second, act immediately to remedy the breach and document the intrusion (if any).  Twitter, for example, locked user accounts subject to the breach while simultaneously using the incident as a teaching moment for all Twitter users.  Both Deutsche Telekom and Twitter also immediately sought out the source of the information to determine if there was an ongoing breach or leak.  While both companies ultimately concluded that they were not responsible for a breach, these post-breach procedures are necessary.

Finally, recognize and accept that there is no perfect security system.  Ultimately consumers of Deutsche Telekom and Twitter were victimized by clever hackers that exploited vulnerabilities outside of both companies’ reasonable control.  So long as companies hold sensitive or valuable data, hackers will always be looking for the next window of opportunity to breach them.  In the wake of its so-called “hack,” Twitter took the opportunity to speak directly to their users about what data was accessed, what proactive, protective measures were taken by Twitter, and what additional security features were available to all users to help protect them in the future.  Deutsche Tekekom issued a press release prominently on their website speaking directly to the cause of the breach, advising customers to “Change Passwords Now,” and using the breach as an opportunity to teach users the benefits of regular updates to passwords.

Both Deutsche Telekom and Twitter were faced with an impossible situation:  their servers were still secure but their users’ data was at risk.  But by acting fast to protect their users from the breach at hand, and using the opportunity to educate users and secure against future breaches, the companies came out ahead.

Leave a Reply