With the long holiday break, there is a lot of news to report. It is worth noting the different approaches taken by both Uber and Imgur in reporting their breaches to the public. Troy Hunt, who discovered the latter breach, tweeted, “This is really where we're at now: people recognize that data breaches are the new normal and they're judging organizations not on the fact that they've had one, but on how they've handled it when it happened.” Imgur quickly confirmed a hack dating back to 2014 with specifics on how hackers stole 1.7 million email addresses and passwords, scrambled with the now-inferior SHA-256 algorithm. ZDnet has the specifics on how they divulged the hack to Hunt, who gave them props for the quick response over the Thanksgiving holiday.
Contrast that with how Uber responded to a breach that happened last October. Bloomberg broke the story on how hackers stole 57 million customer and driver records, and paid $100K in hush money to the hackers. “At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations.” The new CEO, Dara Khosrowshahi, didn’t pull any punches, which is hopeful, and promised to make changes to how they will do business in the future. John Gunn, the CMO of Vasco Data Security says the concealment is a “violation of their customers’ trust,” and I would agree. Valimail’s CEO in a blog post commends Khosrowshahi for acting quickly (he took the job in September) and “showing real leadership,” in contrast to the people he replaced.
-- David Strom, editor of Inside Security