Quick – how many times in the last couple of months have you been advised to change your password, because of a high-profile security breach or vulnerability?
Let’s see now … there was the highly sensationalized Heartbleed bug, which probably affected several sites that you use regularly. Then there was the breach at eBay,
which compromised a database containing the passwords and personal information of 145 million subscribers.
More recently, we have the breach of servers at Domino’s Pizza in France and Belgium, which compromised the following personal information of about 650,000 consumers
(592,000 in France, and 58,000 in Belgium):
Passwords
Full names
Addresses
Phone numbers
Email addresses
Delivery instructions
And yes, favorite pizza toppings
What made the headlines in the Dominos Pizza breach is that the hacker group that took credit for the breach – Rex Mundi (which if I’m not mistaken is Latin for
King of the World) – demanded a ransom of 30,000 Euros in exchange for not making this information public. This is a new twist on the trend of holding data for
ransom, which before now has more typically been implemented by encrypting your data and demanding payment to get it back.
Dominos refused to pay ransom. I have no problem with that.
What I do have a problem with is their post-incident communications, a topic for which I have developed an Incident Response Communications checklist / report card …
as well as a somewhat cynical, “Worst Practices” version of the IR Communications checklist / report card as part of my ongoing Screwtape CISO blog series.
Remember now, as a consumer this really isn’t so much about the inconvenience of having to change your password. Its about the massive identity theft problem that
Dominos has just dumped on your plate, as I wrote about in http://blogs.aberdeen.com/it-infrastructure/sos-secure-our-servers/.
Lets look at what Domino’s Pizza in France had to say about this incident (scroll down to June 13) – basically, a single Tweet, in four parts due to the standard character
limitations of Twitter:
[1/4] Dominos Pizza utilise un système de cryptage des données commerciales. Toutefois les hackers dont nous avons ete victimes
[2/4] sont des professionnels aguerris et il est probable qu’ils aient pu décoder le système de cryptage comprenant les mots de passe.
[3/4] Cest la raison pour laquelle nous vous recommandons de modifier votre mot de passe, par mesure de sécurité.
[4/4] Nous regrettons fortement cette situation et prenons cet accès illégitime très au sérieux.
Translated to English:
Dominos Pizza uses an encryption system for trade data. However the hackers we suffered are seasoned professionals and it is likely that they could decode the encryption
system including passwords. This is why we recommend that you change your password for security reasons. We strongly regret this situation and take this illegitimate
access very seriously.
In my view, this is a page straight out of the Screwtape communications playbook!
They acknowledge the incident, but they take little responsibility for what happened. Why, they encrypted the information … what else could they do?
They provide no real explanation of what happened. If they use an encryption system, why is it likely that seasoned professionals can decode it? Did they use weak encryption? Did they mismanage and expose the encryption keys? Did they hash the passwords (a type of encryption), but not salt them? (See my blog on Salt With Your Hash = Better for Your (Your Passwords, That Is) for more detail.) Did they protect only the passwords, or all of our personal information?
They dont really acknowledge the effects, other than the recommendation that we change our passwords – but they are silent on the bigger issue of fraudulent activity based
on our identities. Of course, they strongly regret the situation … and of course they take it very seriously. Puh-lease.
They make no investment whatsoever in reparations … no guidance on what to look for, no credit report monitoring, not even a coupon for our next order.
They dont provide any information about what they’re doing to ensure that it doesnt happen again, or give affected parties a means to get more information.
They simply issue their Tweet and go back to their regularly scheduled marketing promotions surrounding the FIFA World Cup.
Their grade, in my book: a solid F.
This type of corporate behavior needs to change. The reason Dominos Pizza can get away with this is simple: their customers let them get away with it. As consumers,
we should be outraged … we should leverage the power of social media to create a level of negative attention that can’t be ignored … we should order our pizza from
someone other than Dominos. So long as we passively accept this kind of treatment and keep on consuming their product, we’re sitting on the invisible hand
of market forces that would compel them to behave differently.
Postscript: the sheep that we are, we consumers tolerate so much more without really thinking about it … for example, try actually reading the Dominos Pizza terms of
use to see what you’ve agreed to without even thinking about it, a topic which I wrote about in the blog RTFE (Read the EULA). That will have to be the topic for another blog.