If you read my post about the hack involving three Canadian chapters of Crime Stoppers, or if you follow me on Twitter (@pogowasright), you know that I’ve had a frustrating time trying to alert those chapters that they’ve been hacked and need to secure their data better.
In the interim, as I browsed the pastes of the hacked data (which I am not linking to but are still available online), I discovered the following communication in December, 2014 from Pat Gillie of the Ontario Association of Crime Stoppers Board of Directors to Fred Hicks of Ontario Crime Stoppers. I’m redacting some of the metadata:
[IP redacted] Message for Fred Hicks
This message has been sent to you by
Pat Gillie via the OACS website staff directory page.
Submitted: Thursday, December 4, 2014, 5:44 pm
Sender”s Email: [redacted]Fred – do you know how secure our site is?
How would you know if it had been hacked.?If you are home on Friday I will give you a call to explain why I am sending this message this way. – Pat
I’d love to know how Hicks answered her if and when they spoke, because it’s clear that months later, Crime Stoppers – at least the Waterloo, Peel, and Ontario regions – did not know when their sites got hacked.
A Canadian reader informs me that he finally connected with someone in IT from an unaffected chapter of Crime Stoppers who said he will reach out to the affected chapters to alert them. I also reached out OpenCERT in Canada last night, and they have already responded that they will also reach out to the affected Crime Stoppers chapters.
But why, oh why, don’t sites that collect and store personal information prominently display an email address to use for reporting security breaches or data security concerns? It would make life so much easier for me – and ultimately, for them.