DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Thinking about incident response

Posted on February 23, 2016 by Dissent

So I woke up to find that uKnowKids had issued a statement yesterday about their exposed database, an exposure that had been uncovered by and reported to them by Chris Vickery.

Regular readers of this blog will recognize Chris’s name by now, as he’s uncovered a number of misconfigured databases that have been investigated by this blogger, Vickery, and Steve Ragan of Salted Hash, including exposures of

  • 191 million registered voters
  • 19 million voter profiles
  • Three Lock Box
  • Microsoft careers site
  • California Virtual Academies
  • Vixlet fan networks
  • Earbits
  • Patricia Mullen client data
  • Hello Kitty
  • MacKeeper
  • AllianceHealth
  • Hzone
  • iFit
  • Virtue Center for Art & Technology
  • Nomi, and the one that started this site’s collaboration with Vickery:
  • Systema Software.

That’s a lot of exposed personal information that we would not want in the hands of criminals, and thankfully, it was Vickery who uncovered the exposures and reported them to the responsible parties.

So what is the appropriate response when someone calls you to tell you that your database with personal and/or proprietary information is exposed?

The appropriate response, in my opinion, is “Thank you so much!”

And the appropriate disclosure is to tell your customers or individuals that due to a mistake, their data was exposed, but thankfully, a researcher spotted it and reported it to you so that you could secure the data.

Painting the researcher as some kind of “hacker” will only worry your customers needlessly if the researcher is Vickery, who has cooperated with federal and state law enforcement and destroys any data or evidence he downloads once the entity acknowledges the breach and reports it accurately.

Sadly, Steve Woda, CEO of uKnowKids jumped to try to portray his firm as victims of some hacker:

It is with significant personal regret that I share with you the news that uKnow had a private database repeatedly breached by a hacker

Perhaps he thinks that sounds better than to forthrightly tell consumers, “We screwed up and our data and yours was exposed, but thankfully, some good-guy researcher spotted our mistake and alerted us. We are not worried about him misusing your information, given his reputation, but to reassure you, we are offering you….”

In his original communication to this site, Vickery claimed that Woda tried to intimidate him during a phone conversation with “veiled threats:”

In fact, during that very same phone call, Steve Woda tried all manner of intimidation tactics against me. I can only assume that this is because he doesn’t want anyone reporting on the incident. Woda repeatedly insisted that I have acted inappropriately in my response to discovering and alerting his company to the gaping breach.

Furthermore, he tried to convince me that an outlet reporting on the breach could face liability under COPPA (a claim which is, of course, preposterous).

For his part, Woda has tweeted publicly that he made no attempt to intimidate Vickery but did insist Vickery delete all the personal and proprietary information he had downloaded  – including screenshots.

From having collaborated with Vickery on numerous breaches, this blogger is confident that had Woda simply asked Vickery to secure and then securely delete the data, Vickery would likely have agreed. His protocol is to only retain data as proof of his claims until such time as the entity acknowledges the claims or doesn’t try to cover them up.

So…. if you’re looking at incident response, think about whether it’s better to just admit you made a mistake that was caught by a good-guy researcher, or whether you really want to potentially alarm your customers by suggesting that you were “hacked” by someone with a track record of being responsible.  Suggesting that you were a “victim” of some “hacker” may appeal to you initially from a PR standpoint, but in the long run, customers will respect you more if you just say you screwed up, thankfully, no one was harmed, and you’re taking steps to ensure it doesn’t happen again.

Just my .o2 with my morning coffee.

Related posts:

  • uKnowKids database exposed personal and location info of 1,740 kids (Update1)
  • 191 million voters’ personal info exposed by misconfigured database (UPDATE2)
  • uKnowKids responds to reports of exposed database
  • Did a Christian right-wing organization expose private details of millions of people?
Category: Breach IncidentsCommentaries and AnalysesOf Note

Post navigation

← AU: Flinders Medical Centre health staff caught snooping in Cy Walsh’s medical records
St. Joseph Hospital employee information leaked in phishing scam →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.