We all jumped on "the Equifax dumpster fire bandwagon" recently and pointed to all the things that went fundamentally wrong with their disclosure process. But it's equally important that we acknowledge exemplary handling of data breaches when they occur because that's behaviour that should be encouraged.
Last week, someone reached out and shared a number of data breaches with me. Breaches I'd never seen before. Some of them were known by the companies who'd previously made public disclosures; ReverbNation, Bitly and Kickstarter. One of them, however, showed no previous evidence of disclosure - Disqus.
I first saw the Disqus data first thing Friday morning my time in Australia. Verification wasn't difficult because my own record was in there (there's nothing like finding your own data in a breach to help expedite verification!) I reached out to an existing contact I had at Disqus via email as soon as I had a reasonable degree of confidence that the data was accurate (a couple of hours after I received it). From that moment, the timeline in their public disclosure began which I highlighted in this tweet:
23 hours and 42 minutes from initial private disclosure to @disqus to public notification and impacted accounts proactively protected pic.twitter.com/lctQEjHhiH
— Troy Hunt (@troyhunt) October 6, 2017
Think about everything that had to happen within this time frame:
- I had to get a response and establish communication
- I had to get the data to them securely (over Australian internet speeds...)
- They had to download and review the data
- They had to establish the legitimacy of the data
- They had to ensure there was no ongoing risk in their system
- They had to invalidate passwords that had been exposed
- They had to contact the impacted users in the previous point
- They had to prepare the communication in the aforementioned disclosure
On top of all that, the CEO made himself available to personally answer questions from the press. Less than a day earlier, they had absolutely no idea what was coming yet they managed to pull all this together in record time. Consequently - and this is what I really want to highlight here - people responded amazingly well to the incident:
Good on them! Bugs happen and they suck. But kudos on really owning it.
— Jesse Houston (@gtez) October 6, 2017
Extremely rare to see any organization with millions of users react that quickly after a breach. Usually takes weeks for the “quick” ones.
— Dylan Hailey (@TibitXimer) October 7, 2017
This is how you handle a breach...upfront and explained in basic terms. Way to go @disqus, now off to change my password ;-) https://t.co/uyVIvPdHs6
— Dale Meredith (@dalemeredith) October 7, 2017
That seems like an absolute template for sharing a security breach, timeline, user affects, security enhancements post event
— Sean Holcroft (@Y90SMH) October 7, 2017
Damn.. that is pretty darn good work @disqus! https://t.co/ZI1L46Wi1Q
— Erwin van der Koogh (@evanderkoogh) October 7, 2017
That's how it should be done. The contrast with Equifax is stark https://t.co/rGWSGHsEXL
— Dave Poole (@DavidJPoole) October 7, 2017
There were many more responses with a consistent theme across them. This was a dark moment for Disqus and there's no sugar-coating the fact that somehow, somewhere, someone on their end screwed up and they lost control of customer data. But look at the public sentiment after their disclosure; because of the way Disqus handled the situation, it's resoundingly positive. Compare that to Equifax and the comments I made about their handling of the breach only one month ago:
Here's the lesson for everyone else who is yet to disclose all the breaches that are still to come: after an incident like this, everyone wants to pile blame on the company involved. They’ll look for any little excuse to vent their anger because they're quite rightly upset about the whole thing.
Following the Red Cross Blood Service data breach down here almost a year ago, I later wrote about Data Breach Disclosure 101: How to Succeed After You've Failed. In there, I highlighted many of the things the Red Cross had done well and indeed many of the things that other organisations had done poorly. When I look at how Disqus handled their incident, they ticked so many of the boxes:
- It was easy to report to them (admittedly, my having an existing contact there inevitably made it easier than if I was coming out of the blue)
- They applied urgency, more than I can honestly say I've seen any company do before under similar circumstances
- They disclosed early, earlier than anyone could have reasonably expected (I normally consider 72 hours the "Gold Standard")
- They protected impacted accounts very quickly by resetting the passwords of accounts that had them disclosed
- They were entirely transparent; there was never a moment where I thought they were attempting to spin this in their favour at the expense of the truth
- They provided details - the passwords were salted SHA1 hashes which is not a pretty story to tell in this day and age, but they told it truthfully regardless
- They apologised (it was one of the first things they said); they owned this incident from the outside and didn't attempt to divert blame elsewhere
I still have multiple other data breaches from the same set that Disqus came in and totalling tens of millions of records. I'm quite sure the companies involved don't know they were breached and nor do their customers. I'm presently working on the disclosure of these and frankly, I dread the process because it rarely ever goes as smoothly as the one above. But I'll go through it anyway because it needs to be done; in one of these incidents alone, I have over 31k Have I been pwned subscribers and this is precisely the sort of thing they want to know about. Stay tuned.