Data breaches — who needs to know?
Results from warning decision-makers affected by data breaches in Finland
This article addresses the last question from my previous study: Are the executives involved in data breaches aware of their exposure? During my analysis, I came across dozens of people that had their credentials for both personal and work-related identities leaked out. I couldn’t just sit on this information, so I notified them.
How was the notification made?
At Badrap, we are on the mission to get security information delivered to those who need it. Personal security issues can be exploited to affect companies. In the digital realm, our personal and work identities intertwine with one another. It has become less obvious who should be notified about security issues related to those identities. If we share our findings with corporate security teams, we end up exposing non-work related matters. On the other hand, reaching the affected people needs careful craft to make the message clear and not alarmist. And running this study and working in a security company, they could ignore my message as marketing.
Considering that the found information involved personal email addresses, we notified the victims directly by email and gave a heads up for the security teams if we had a contact in that company. You can find both of the models at the end of this article.
Answers received
From the eleven companies contacted, we got responses from only two companies. And the responses came from CISOs (chief information security officers), instead of the victims. In both cases, the messages were very similar. They acknowledged the importance of raising awareness and ensure the victim’s knowledge but also asked that any future victims’ notification should be sent first to the security team. I was glad to hear both organizations actively monitored data breaches related to the corporate domain.
I replied to their emails, thanking their feedback, and guaranteeing that I would communicate to them any further notification. I wrote that even understanding their will to be on top of the issues affecting their employees; I should only disclose exposed private information with the affected person.
Cybersecurity got in a similar field as occupational health regarding this balance between individual and corporate. The employee’s behavior and habits can affect his work, but the employer must respect their privacy. When the data is about people, including their personal identities, who should get the information?
Lessons learned
1- Show the actual results — not just the method to get them. Seeing the findings would help people understand better how we are trying to help. The victims’ notification email explained the method used to find the potential vulnerabilities but didn’t show the results, like the emails involved and the services that leaked their data.
2- Give a heads up to security teams in all companies. We considered this as a nice-to-have but is likely a must-have. Instead of just messaging the contacts that we already knew, it would be better to let all those professionals have the time and opportunity to communicate with their colleagues before the victims’ notification hit their email inbox.
3- Avoid hyperlinks. I wrote in plain text the addresses from services or pages that I used during my study. I didn’t want to have active hyperlinks in my email (nothing that could resemble a phishing attempt), but I realize that some email clients create active links just by having a valid internet address in the message body.
4- Timing. I sent the notifications on the morning of the 31st of December. Even still being a typical working day, some people were on holiday. The idea was to contact all the potential victims as soon as possible. But choosing a better day would improve the odds of having the message seen. And I wouldn’t need to check my email regularly to answer enquires during the new year’s eve.
Below you will find the email templates referred at the beginning of this article.
Email sent to the victims:
Subject: (full name) — notification about a potential data breach
Dear (last name),
I’m researching data breaches to understand how they affect large companies in Finland. I’m contacting you directly because I found your email from the publicly available data breach material. You are one of the many; it appears that data breaches have affected 65% of the executives of the 11 most valuable companies in Finland. Their emails and passwords were leaked from other services (e.g., LinkedIn, Adobe, eBay, etc.).
You may be aware of these issues and worked on them already. In this case, I apologize for the redundant report.
I am not publishing any specifics about the companies or people involved, only statistics. The goal of my research is to understand how executives deal with cybersecurity awareness when notified about data breaches. Below I have frequently asked questions and more details about the steps that I followed to find the information regarding the data breaches potentially affecting you.
From where did I get the results? To check the emails of the executive board, I combined the information from the links:
1 — (company’s link with the description of the executives)
2 — Discovered actual and other email addresses (as personal and past emails) using web crawlers as the service RocketReach.co
3 — and then checked if they were involved in data breaches (with password exposition) on haveibeenpwned.com
What can be done to protect my accounts? Some companies found it useful to endorse the affected users not to reuse those breached passwords and, when possible, use two-factor authentication. If you feel that you could help with my research, you can reply to the question below through email.
SURVEY QUESTION: How did you learn about these specific breaches? (choose all that apply)
Original data leak source (3rd party service that leaked): yes/no
Your company’s staff: yes/no
News or other media: yes/no
This notification email: yes/no
Other: please describe
Thank you very much. If I can be of any assistance, let me know.
FAQ
How am I exposed? From previous experience and studies, it is common to see people reusing passwords on different services, like corporate emails and social media platforms. The risk involved using the breached password is the possibility of someone getting access to that leaked information tries to access other services held by the victim with the same or similar password. In some cases, criminals also use extorsion with the claim that they hold more information than your email and password.
How many people have been affected by these breaches? These breaches have been affecting virtually almost all Internet users. Other businesses and individuals are dealing with the same challenge.
Who are you? I’m Bruno Triani, and I have a professional interest in the data breach topic. I write articles about the topic, and my company works in this field.
Are you selling something? No. My company and I don’t mix victim notifications with commercial activities. All the relevant information is packaged here. No strings attached.
Are you going to publish this? I never publish victim details. I may publish general findings and aggregated statistics as part of my research. Some of my findings can be found in my Medium blog articles.
Where did you get your information? I use publicly available information, which is easy to get. I’ve documented my methodology in my blog articles.
We are aware of this already, why are you contacting us? Great. One issue I have seen is that often the victims are not aware, even if the information is publicly available. Or they may be aware of the issue, but think there is nothing they can do or even think it does not matter.
Email sent to the cybersecurity professionals that I already had the contact:
Hi. I’m Bruno from Badrap, a security company from Oulu. I’m researching data breaches to understand how they affect large companies in Finland. As part of this research, I became aware of a handful of your decision-makers’ involvement in data breaches. As a final part of my study, I’m notifying them about the breaches just in case and asking their voluntary feedback about where they first heard about the breaches (if they did) — see the template below.
If you have any questions or comments, feel free to contact me.
