Quick – how many times in the last couple of months have you been advised to change your password, because of a high-profile security breach or vulnerability?
Let’s see now … there was the highly sensationalized Heartbleed bug, which probably affected several sites that you use regularly. Then there was the breach at eBay, which compromised a database containing the passwords and personal information of 145 million subscribers.
More recently, we have the breach of servers at Domino’s Pizza in France and Belgium, which compromised the following personal information of about 650,000 consumers (592,000 in France, and 58,000 in Belgium):
- Full names
- Phone numbers
- Email addresses
- Delivery instructions
- And yes, favorite pizza toppings
What made the headlines in the Domino’s Pizza breach is that the hacker group that took credit for the breach – Rex Mundi (which if I’m not mistaken is Latin for “King of the World”) – demanded a ransom of 30,000 Euros in exchange for not making this information public. This is a new twist on the trend of holding data for ransom, which before now has more typically been implemented by encrypting your data and demanding payment to get it back.
Domino’s refused to pay ransom. I have no problem with that.
What I do have a problem with is their post-incident communications, a topic for which I have developed an Incident Response Communications checklist / report card … as well as a somewhat cynical, “Worst Practices” version of the IR Communications checklist / report card as part of my ongoing Screwtape CISO blog series.
Remember now, as a consumer this really isn’t so much about the inconvenience of having to change your password. It’s about the massive identity theft problem that Domino’s has just dumped on your plate, as I wrote about in http://blogs.aberdeen.com/it-infrastructure/sos-secure-our-servers/.
Let’s look at what Domino’s Pizza in France had to say about this incident (scroll down to June 13) – basically, a single Tweet, in four parts due to the standard character limitations of Twitter:
[1/4] Domino’s Pizza utilise un système de cryptage des données commerciales. Toutefois les hackers dont nous avons été victimes [2/4] sont des professionnels aguerris et il est probable qu’ils aient pu décoder le système de cryptage comprenant les mots de passe. [3/4] C’est la raison pour laquelle nous vous recommandons de modifier votre mot de passe, par mesure de sécurité. [4/4] Nous regrettons fortement cette situation et prenons cet accès illégitime très au sérieux.
Translated to English:
Domino’s Pizza uses an encryption system for trade data. However the hackers we suffered are seasoned professionals and it is likely that they could decode the encryption system including passwords. This is why we recommend that you change your password for security reasons. We strongly regret this situation and take this illegitimate access very seriously.
In my view, this is a page straight out of the Screwtape communications playbook!
- They acknowledge the incident, but they take little responsibility for what happened. Why, they encrypted the information … what else could they do?
- They provide no real explanation of what happened. If they use an encryption system, why is it likely that seasoned professionals can decode it? Did they use weak encryption? Did they mismanage and expose the encryption keys? Did they hash the passwords (a type of encryption), but not salt them? (See my blog on Salt With Your Hash = Better for Your (Your Passwords, That Is) for more detail.) Did they protect only the passwords, or all of our personal information?
- They don’t really acknowledge the effects, other than the recommendation that we change our passwords – but they are silent on the bigger issue of fraudulent activity based on our identities. Of course, they “strongly regret” the situation … and of course they “take it very seriously.” Puh-lease.
- They make no investment whatsoever in reparations … no guidance on what to look for, no credit report monitoring, not even a coupon for our next order.
- They don’t provide any information about what they’re doing to ensure that it doesn’t happen again, or give affected parties a means to get more information. They simply issue their Tweet and go back to their regularly scheduled marketing promotions surrounding the FIFA World Cup.
Their grade, in my book: a solid F.
This type of corporate behavior needs to change. The reason Domino’s Pizza can get away with this is simple: their customers let them get away with it. As consumers, we should be outraged … we should leverage the power of social media to create a level of negative attention that can’t be ignored … we should order our pizza from someone other than Domino’s. So long as we passively accept this kind of treatment and keep on consuming their product, we’re sitting on the “invisible hand” of market forces that would compel them to behave differently.