It sounds like such a simple question that should have an obvious “yes” answer, but you might be surprised to see what happens when hackers taunt social media teams about hacks. It’s an issue I’ve mentioned before:
NullCrew revealed that they had access to Bell’s server for months, and had disclosed that to them in a chat with Bell Support weeks ago. A screenshot of the chat between NullCrew and Bell Support employee “Derek” shows that NullCrew was informing Bell that they were in possession of users’ information — DataBreaches.net, February 2, 2014.
If your business has a Twitter account, do those responsible for it know how to respond to tweets informing them of a data security breach? — DataBreaches.net, August 24, 2015.
Last night, it happened again: a well-intentioned social media team on Twitter did not appear to understand that they were being told they had been hacked. USAA’s Twitter team’s responses left people variously laughing at them, mocking them, or if they were a customer, worried for the security of their information.
Here was how the exchange began:
how much is your customer base worth on the black market? @usaa
— Ryan (@obstructables) November 6, 2016
@obstructables Hello Ryan. Not sure we understand your statement. Can you clarify please? Thanks!
— USAA (@USAA_help) November 6, 2016
@USAA_help your bank just had a data breech and i was wondering what i could sell your database for on the black market?
— Ryan (@obstructables) November 6, 2016
Even then, USAA’s Twitter team did not seem to understand:
@obstructables Ryan we are unaware of a data breech you are referring to. If you would like to discuss your request we would be happy to.
— USAA (@USAA_help) November 6, 2016
At one point, still seemingly misunderstanding the situation, they actually suggested he contact their Fraud Department:
@obstructables Please contact our Fraud Department at 800-951-4539 24 hours a day, 7 days a week.
— USAA (@USAA_help) November 6, 2016
While some hackers might call the Fraud Department to taunt them, notification really should be through their internal policies and procedures, right?
But seeing that suggestion, a USAA customer did reach out to their Fraud Department. In a private message to DataBreaches.net, the customer, who asked that we not identify him by his Twitter nick, says that he spoke to a representative who asked him no questions about specifics, and suggested he send an email to abuse@. When he reportedly pushed the representative to let him speak to a supervisor, the representative wouldn’t do that, but said that the matter would be escalated. The customer reports that he subsequently did send an email to the abuse account that included screenshots of the Twitter exchange between @obstructables and @USAA_help. So far, he has not heard back.
Meanwhile, back in the public Twitter thread, @obstructables tried what should have been a clearer message to @USAA_help:
Lizard Squad owns USAA @USAA_help
— Ryan (@obstructables) November 6, 2016
Finding the exchange somewhat painful to read, this blogger jumped in (typo in original):
Ugh. @USAA_help doesn’t recognize that they should escalate @obstructable‘s tweets to their security/IR team:https://t.co/JpnIhGg6vO
— Dissent Doe (@PogoWasRight) November 6, 2016
@USAA_Help thanked me for my inquiry that wasn’t an inquiry, but it’s not clear that they actually did anything, so I followed up later:
@USAA_help @USAA Did you escalate @obstructables‘ tweets to your data breach incident response team?
— Dissent Doe (@PogoWasRight) November 6, 2016
That was last night, and I got no answer.
“Unpaid” also tried to help:
@USAA_help @obstructables USAA, please take basic security mesures, and issue immedate password rests to all customers.
— Unpaid (@Unpaid_) November 6, 2016
They do not appear to have answered that tweet, either.
As of this morning, the USAA Twitter team still didn’t seem to have a clue as suggested by this response to another taunt from @obstructables:
@obstructables Please DM us details of your concerns. We would like to look into this further with you.
— USAA (@USAA_help) November 6, 2016
So even after he told them, “Lizard Squad owns USAA,” it appears that their team may not have understood what that means.
Had USAA initiated any investigation or incident response? I looked at their web site and can’t find any dedicated phone number or email address for reporting a security incident concern, so I emailed their media relations department and asked them to forward the communication to their CISO or incident response team.
To be clear: DataBreaches.net did not (and does not) know if @obstructables is telling the truth or just trolling USAA, but what I do know is that USAA’s Twitter team did not seem to understand the communications and may not have escalated a security concern. I attempted to get them to understand with yet more tweets this morning explaining what they were being told. This time, I got a clearer response:
@PogoWasRight Thank you for reaching out to us. The situation has been reviewed and USAA has not been breached.
— USAA (@USAA_help) November 6, 2016
I am glad to learn that the situation apparently was investigated (although could they have really thoroughly investigated and ruled out a breach that quickly?). I hope @obstructables was just trolling. DataBreaches.net did ask @obstructables for some proof of his claims, but has received no response as yet.
But the main point of this post is that hackers will not always give you a clear statement like, “Hello, we want you to know that we have hacked you and stolen all your customer data.” Social media teams need to recognize alerts, however crude or taunting they might be, and then escalate the tweets to their CISO or incident response team who can investigate to find out if there has been a security breach. It would be interesting to know exactly when USAA’s Twitter team first escalated the security concern, if they did.
This post will be updated if more information becomes available.
Update1: In response to my initial inquiry to their media relations, USAA sent the following statement:
We continuously monitor and protect our systems, and our security and service to members have been operating normally.
Our 24×7 social media monitoring team provides service to members with questions, and they maintain contact with our security team as well. In this case they confirmed no systems issues and continued offering member service.
We are always working to improve, and we will look at these events with that in mind.