Oh my. DataBreachWallofShame.org posted some of CISO Darknet Group’s attempts to alert Adult Friend Finder back on March 12 that their data had been stolen and were up for sale. The alert was pretty clear, and they got a read receipt – but not actual acknowledgement.
Note that their alert made it clear that FFN did not have to hire them to get the information:
This is not a hard sell or scare tactic, this is what our organization was built on; CyberHumint methodologies for fraud prevention. This information will be provided to you free and our work pro-bono.
So why didn’t FFN respond?
They would later claim they never got the notification – despite, apparently, the read receipt.
More than two months later, on May 22, CISO Darknet Group claims they tried again to notify FFN:
I was just alerted that Adult Friend Finder Network have recently contacted law enforcement concerning your data breach. As you can see from the email below we tried to alert you 2 months ago. We still have access and profile of the bad-actor behind your breach as well as access to all the records compromised.
We can certainly assist should there be an acknowledgment of this alert this time.
And… wait for it… another read receipt – this time allegedly from Diana Ballou, Vice President, Senior Counsel – Corporate Compliance and Litigation – but again, no personal message or request for information.
Read the emails and see what you think. One disclaimer: I have no way of verifying the accuracy of any of their claims, but I’m betting that when a class action lawsuit is filed (or has one been filed already), these emails are going to come into play. And not only may they come into play by plaintiffs, but FFN’s insurer may try to use them to limit their responsibility to FFN.
We’ll see….
Update 1: Friend Finders Network is standing by their statement that despite the read receipt, the March 12th alert with the subject line “BREACH ALERT! URGENT!” was never read and went to a spam folder.
I don’t see how both things can be true – that they never read it but issued a read receipt (unless they send read receipts for everything, including spam) – but aren’t they still responsible for configuring their spam filters? Does no one actually go thru the spam folder to catch false positives?