Data breaches — who needs to know?

Results from warning decision-makers affected by data breaches in Finland

This article addresses the last question from my previous study: Are the executives involved in data breaches aware of their exposure? During my analysis, I came across dozens of people that had their credentials for both personal and work-related identities leaked out. I couldn’t just sit on this information, so I notified them.

How was the notification made?

At Badrap, we are on the mission to get security information delivered to those who need it. Personal security issues can be exploited to affect companies. In the digital realm, our personal and work identities intertwine with one another. It has become less obvious who should be notified about security issues related to those identities. If we share our findings with corporate security teams, we end up exposing non-work related matters. On the other hand, reaching the affected people needs careful craft to make the message clear and not alarmist. And running this study and working in a security company, they could ignore my message as marketing.

We have many identities. Some are personal, and some are work-related. Security issues related to personal identities can affect companies. Who should get the warnings? The company or the individual?

Considering that the found information involved personal email addresses, we notified the victims directly by email and gave a heads up for the security teams if we had a contact in that company. You can find both of the models at the end of this article.

Answers received

From the eleven companies contacted, we got responses from only two companies. And the responses came from CISOs (chief information security officers), instead of the victims. In both cases, the messages were very similar. They acknowledged the importance of raising awareness and ensure the victim’s knowledge but also asked that any future victims’ notification should be sent first to the security team. I was glad to hear both organizations actively monitored data breaches related to the corporate domain.

I replied to their emails, thanking their feedback, and guaranteeing that I would communicate to them any further notification. I wrote that even understanding their will to be on top of the issues affecting their employees; I should only disclose exposed private information with the affected person.

Cybersecurity got in a similar field as occupational health regarding this balance between individual and corporate. The employee’s behavior and habits can affect his work, but the employer must respect their privacy. When the data is about people, including their personal identities, who should get the information?

Lessons learned

1- Show the actual results — not just the method to get them. Seeing the findings would help people understand better how we are trying to help. The victims’ notification email explained the method used to find the potential vulnerabilities but didn’t show the results, like the emails involved and the services that leaked their data.

2- Give a heads up to security teams in all companies. We considered this as a nice-to-have but is likely a must-have. Instead of just messaging the contacts that we already knew, it would be better to let all those professionals have the time and opportunity to communicate with their colleagues before the victims’ notification hit their email inbox.

3- Avoid hyperlinks. I wrote in plain text the addresses from services or pages that I used during my study. I didn’t want to have active hyperlinks in my email (nothing that could resemble a phishing attempt), but I realize that some email clients create active links just by having a valid internet address in the message body.

4- Timing. I sent the notifications on the morning of the 31st of December. Even still being a typical working day, some people were on holiday. The idea was to contact all the potential victims as soon as possible. But choosing a better day would improve the odds of having the message seen. And I wouldn’t need to check my email regularly to answer enquires during the new year’s eve.

Below you will find the email templates referred at the beginning of this article.