This Company Was the Latest To Suffer a Data Breach. Its Reaction Was Perfect.
A data breach is never good news, but MyHeritage’s response to customers deserves recognition.
PHOTO CREDIT: Getty Images
Get something wrong in the realm of corporate communications, and you can count on hearing about it. Even subtle public relations missteps can do irreparable harm to your brand. Get something right, and most of the time no one notices.
That said, it is surprising when an organization correctly handles communications in response to a cyber incident, which is why this week's cyber-insecurity news from the genealogy site MyHeritage.com--a low-impact breach by any standard--is newsworthy.
Now, before I go any further, the praise freely given here comes with a claw-back provision: The way MyHeritage handled this cyber incident, if accurate, is 100 percent praiseworthy. In fact, it's one of the best notifications I've seen. That said, it is not uncommon for companies to try to get in front of a breach story with part of the truth, followed by a slow trickle of revelations after the initial negative headline has been absorbed by the news cycle.
Assuming this is not a case where other shoes will be dropping with the thud of carefully manipulated damage control, MyHeritage did everything right.
Urgent, transparent and empathetic.
First, they were urgent. They released news of the event the day they found out that 92,283,889 user email addresses coupled with hashed passwords associated with personal MyHeritage accounts had been found on an outside server. The statement was clear and detailed.
Second, MyHeritage was transparent, providing minute details of not only what they knew, but what they were doing to find out more, and how the incident might affect the over 92 million people who had accounts on the site.
Finally, they were empathetic. The company established a customer call line set up before releasing the day-of statement about the incident, where anyone could get information and guidance.
Here's what urgency looks like: "Today, June 4, 2018 at approximately 1pm EST [sic], MyHeritage's Chief Information Security Officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage."
Here's what transparency looks like: "Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords."
And here's what empathy looks like: "MyHeritage users who have questions or concerns about this incident can contact our security customer support team via email on email@example.com or by phone via the toll-free number (USA) +1 888 672 2875, available 24/7."
Why It Matters
So, now for the bad news. There is no such thing as a nothing-burger cyber incident. Email addresses are considered a low-level threat in a breach situation because we use them in so many public-facing ways.
Phishing is a serious problem with an incident of this variety. Consider, a would-be attacker knows that a spoofed email from MyHeritage.com will be reaching an active user. The social engineering of this particular exploit isn't too hard: "We found a new relative," might work, for instance. Doubtless other forays in a similar vein would also succeed such as, "In light of the recent cyber security incident, please click here to reset your password."
If you are among the 80 percent of consumers who re-used passwords across multiple sites last year--a practice called daisy-chaining--the "low-threat" exposure of your email address combined with phishing could have high impact consequences. Many accounts where security is an issue, such as banks, health insurance, and the like, are linked to an email account, so if a hacker can get control of your email, they can drill down into many areas of your life.
Room for Improvement?
The MyHeritage incident report includes a discussion of what the company will do next to protect its users: it will implement 2-factor authentication.
Now, even when a movie gets a stellar review, there are usually a few observations about weak spots. This is the cybersecurity version of that. Security these days, to be useful and effective, must require a few things from the consumer: Something s/he is (biometrics), something s/he knows (a password, avatar, etc), and something s/he has (a phone for 2-factor authentication).
If you are rolling your eyes about 2-factor authentication, I can only counter that it is preferable to crying them out when your bank account is drained because you didn't enable it. The shortfall here is one that is not unique to MyHeritage. Things are getting better all time, even as we experience some of the biggest data exposures since personal information became a fungible asset.
There is no such thing as perfect when it comes to cyber security, but when a company approaches something resembling perfection--as with the way the MyHeritage team handled this notification--it's worth taking notice.