When LivingSocial.com discovered that the personal information of their 50 million or so users had been stolen, they did what most companies do: they initiated an investigation and hunkered down to weather the storm of the inevitable public relations nightmare that was to follow.
In what was probably an effort to control the panic, the company unfortunately chose to downplay the issue and used flaky language. They used subtle wording to draw attention away from the privacy impact and focus it on their resolve to be helpful to users in their time of need. The Web site continued to operate but posted their helpful announcement on an almost generic page simply called ‘createpassword’ and apparently designed to not stand out too much in Web searches.
If that was LivingSocial’s attempt at defusing an already combustible situation, it’s probably backfired with the media and security professionals, but it appears to have slipped by relatively easily with the general public.
Unfortunately this intentionally banal approach to customer protection is more indicative of the laissez-faire attitude that caused the breach in the first place, than the desired effect of appearing to be helpful, honest and transparent. Was there a better way? You bet. And it just might have given LivingSocial a chance to not get skewered by the media and every other wannabe security expert out there.
For starters, the entire first paragraph is little more than an insulting waste of recycled electrons that makes a vague announcement clearly designed to fly over people’s heads with techno-babble and position LivingSocial in line for martyrdom, when in fact the real victims were 50 million individuals who simply got something they hadn’t signed up for. Instead of: “LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue” the real opening paragraph should have been crafted in such a way as to build trust and empathy using a sincere, descriptive wording.
Here is what I would have recommended:
“Dear LivingSocial Customer:
On April 15 of this year our systems detected a pattern of activity that was immediately investigated by our security staff and determined by our independent auditors to be a data breach. Our forensic investigation indicates that the attack was both sophisticated and widespread, aiming precisely to steal the limited information we use to identify our valued customers. Although we use encryption to protect your passwords, criminals were unfortunately able to gain access to names, email addresses and birth dates so before reading further, we need you to do two things:
- Think about what other sites you used the same password on and go change it to something that is at least 12 characters long. Be sure to choose something that is easy for you to remember but difficult for others to guess. Because you should only use one password per site we recommend using an encrypted password database to keep track of these important credentials. Click here to download a free version of LastPass, KeePass or PasswordSafe.
- Once we contained the breach, we conducted an extensive check and verified that your account was not accessed without your authorization, but out of caution, we have expired all passwords and ask that you simply create a new one now by clicking here. Please ensure that the activation link you are about to receive by email leads to www.livingsocial.com and requires no information whatsoever to confirm your identity. Any email pretending to be from us – or other well known brands – and asking you to enter information or otherwise instilling a sense of urgency may be a form of phishing. Click here to learn to easily recognize fake emails.
We sincerely apologize for this lapse in security and any trouble this may conceivably create. We want you to know that security for us is absolutely not an afterthought. We use a layered approach to protection that allows us to separate sensitive data and detect malicious activity as it occurs. Understandably, such computer-based attacks can happen very quickly, but unlike many companies, we have detailed logs and deep visibility into what happens on our systems. This allowed us to detect, contain and limit the impact of this breach. Our staff are professionally trained to identify and investigate breaches and our systems successfully block thousands of attacks daily. Each one is documented and investigated to ensure that we continually learn from what we see. Because criminals change their approaches all the time, we place a high value on education and vigilance to protect our client data.
As such, we know that your credit card data has not been accessed. LivingSocial continues to comply with the strictest industry standards for protecting financial information. Click here to find out more about the PCI-DSS 2.0 requirements imposed on us by the payment card industry. Unfortunately, we have determined that birth date information has been stolen. This is important, because matching this information with Social Security Numbers (which we never collect) can sometimes result in identity abuses. For that reason, we recommend two more things which, like the previous two, are routine approaches to protecting your identity in general:
- Ensure that you receive a credit report on an annual basis from each credit agency. These are free, so you should stagger them throughout the year to try to receive reports every 6 or 4 months (depending on the number of companies – like Equifax, Experian and TransUnion you sign up with). Visit https://www.annualcreditreport.com for more information (in Canada, simply contact Equifax and TransUnion directly and ask for your free annual report).
- Scrutinize your bank and credit statements and be sure to watch for changes in your credit rating. Security breaches or not, criminals perpetrate identity fraud that amounts to tens of billions of dollars annually, targeting individuals of all walks of life, young or old, with good credit ratings or bad. It makes good sense to be aware of this, but not to overreact and fall for scammy sites purporting to sell you protection, insurance or other products that give you a false sense of security.
Although we do use standard one-way encryption to protect your password, the strength of such hashing techniques changes as computers get more powerful and new mathematical algorithms are created to stay ahead of the curve. Over the coming weeks we will implement a variety of strong measures designed to improve the security of our systems and their ability to protect your information. One of those measures will be the use of a hashing technique that is – literally – exponentially stronger than the one we previously employed. Click here if you’re interested in the technical aspects of this change.
From a business perspective this is of critical importance to us and we will continue to ensure that you get the best service on a daily basis. If you have any questions, consult the FAQ we prepared on this issue. This applies to members of the media as well as companies seeking to find out what we did to detect and correct the problem. We believe in sharing this kind of information because security and privacy breaches are in the news every day and the threat landscape changes at least as often. We remain committed to our customers and are working with law enforcement to identify the criminals responsible for this breach. In the meantime, we plan on sharing our detective measures and some of the ways we are improving security for current and future customers of LivingSocial because this issue is not limited to us. Please accept our apologies again for what is fundamentally a failure on our part to secure the sensitive information of our valued customers and promise to do everything in our power to push past this crime and help improve quality and security standards across the industry.
You will notice that this is not a traditional ‘mea culpa’ or half-hearted admission of incompetence. The company makes it clear that the customer’s information has been taken from its custody without authorization despite its best efforts to secure it.
Those best efforts included enough security to detect and contain the breach, which are orders of magnitude better than what customers can expect from most of today’s companies. This kind of transparency, accountability and disclosure should be celebrated. If we encouraged more organizations to report breaches in a sincere and helpful manner – and clearly breach notification legislation only goes so far in this regard – the current trend towards cynicism and apathy could see a reversal towards building trusting relationships that are constructive for industry and good for business.