Hacked? Don't Respond Like This

Today Lorenzo Franceschi-Bicchierai broke the story that VTech's "Learning Lodge" app store database had been hacked. Lorenzo's story for Motherboard has the details and Troy Hunt provided the detailed analysis.

Long story short, attackers managed to gain access and leak data on 4.8 million accounts, including over 200 000+ profiles of children. Worse, the data contains enough information to easily locate the children in the real world.

This is unacceptable on so many levels. 

VTech's handling of the breach provides an excellent framework for a set of steps of what not to do after you've been hacked.

1. DON'T HIDE IT

You need to get out in front of a data breach. Clear, confident communications are the key to making sure that customers feel valued. Your customers need to understand that you are on their side and that you're not simply looking to CYA.

Unfortunately VTech did what most companies do and it's just not enough. Here is the timeline as reported by Motherboard and confirmed by VTech;

1. 14-Nov-2015. VTech is hacked
2. 23-Nov-2015. VTech is informed of the hack by Lorenzo from Motherboard
3. 24-Nov-2015. VTech started an investigation and confirms the breach 
4. 27-Nov-2015. Lorenzo & Troy Hunt both publish their articles detailing the hack. VTech informs affected customers

So what did VTech do wrong here? Informing affected customers by email is a good thing but the rest of the details of the hack are hidden away on their corporate site in the form a news release and an FAQ.

Most customers visit the product site www.vtechkids.com not the corporate site, www.vtech.com. From the product site and on social media there is no sign of the breach. These are the primary channels the company uses to communicate with customers and it's dead air with regards to the breach. 

2. DON'T MINIMIZE IT

If you read through all of the material (both articles and VTech's response) there's a big discrepency. VTech states in their FAQ (7.3),

In addition, our customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).

That's partially true and that's a problem.

No ID cards, SSN, or driver's license numbers were stolen as a part of the breach. However personal identification data was stolen.

Full home address, digital contact info, date of birth, and parental relationship information was included in the data breach.

By any reasonable or legal definition, that's personally identifiable information.

[I've reached out to VTech via email for clarification on this point and am still awaiting a response.]

When your company is breached, don't minimize the impact of the breach. Don't  use evasive language to reduce the apparent severity. It's dishonest and reduces consumer trust.

3. DON'T IGNORE THE NEXT STEPS

At the end of the FAQ and statement, VTech makes the classic statement alluding to a re-evaluation of their security posture. They are going to "look at additional ways to strengthen our Learning Lodge database security" and take "additional measures to strengthen" security.

This means nothing. Or it could mean they'll actually do something. Regardless, it's written in wishy-washy corporate speak. 

When you're responding to a breach you want to re-instill confidence in your customers. Clear statements of ownership and explanations of next steps are critical to success.

Try statements like;

"We've pulled in experts from ___ and are implementing a new security plan. Look for regular, weekly updates from us on our progress"

"The investigation highlighted issues with our technology and process. With help from outside experts, we've got a new plan in place to ensure this type of breach is unlikely to happen again. You'll see changes in our service regularly as we take steps to increase our security."

The key here is to indicate that you've actually gone outside and pulled in some expert help. You current team and controls weren't good enough (obviously) so it's crucial to show that you've seen that and are fixing it.

Then—and here's the key—actually fix the issue and improve your security. And then tell the world about it!

BONUS: DO THIS

Apologize. "We're sorry this happened."

Better yet, "We're sorry this happened. It's embarrassing and we hope that you'll continue to be our customer. You put your trust in us and we didn't live up to that trust. We're going to do everything we can to earn it back."

It's amazing how far a statement like that will go to rebuild the relationship with you customers.

THE BIGGER QUESTION

In my next post I'll tackle the bigger question that you should be asking yourself and your teams, "Why did VTech ask for this data in the first place?". Stay tuned.

[ UPDATE: 01-Dec-2015 ]
VTech has released a new statement. It's just as tone deaf as the 1st one. Especially in light of the fact that the hacker was able to access messages and photos from the Kid Connect service.

[ Updated: 01-Dec-2015 ]

I should mention that VTech did respond to my inquiry about the discrepancy in their statement about PII. It’s a canned response that rehashes their official statement and FAQ. I’ve posted their response.