And so it continues, this time with VTech not only allowing nearly 5 million of their customer records to walk out the digital door, but also the details of over 6 million kids. And their photos. And their chats with their families. And their audio messages. It’s about as personal as you can imagine a data breach getting and understandably, people are angry.
After an incident like this, customers want answers. They want to know how this could have happened – why did VTech / Ashley Madison / Adobe et al expose their personal info in this way? But the other thing they want to know is what personal info was exposed. Did they give the company their address? Is it a password they reused? What security question did they provide an answer to? And so they should be asking this too, it’s their data.
Given I tend to get pretty deeply involved in data breaches in running Have I been pwned?, inevitably people turn to me ask for their record. In fact it happens so frequently that eventually I ended up writing No, I cannot share data breaches with you and I now point people over that way. This begs the question though – why do people want their data? After all, this is data that they themselves provided to the organisation, don’t they know what it is already?
The main issue is that people just don’t know how much data is out there about them. This week I added data to “Have I been pwned?” for two breaches from more than five years ago which together had more than eight million user accounts in them. We’re talking data like home addresses, dates of births and security questions and answers, all in plain text of course. Think about how the folks in those breaches are feeling now and the questions they’re asking themselves; was my current home address leaked? Is my birth date (which is frequently used for identity verification) now in the public domain? Which security question did I use. These are all perfectly reasonable questions and frankly, they deserve answers.
So here’s my point: if a company gets hacked, they’ve got a responsibility to not only let their users know that a security incident occurred, but they should then provide them with precisely what data was leaked if the victim requests it. The organisation almost always has the data (it’s very rare to see total destruction, Distribute.IT is a notable exception that comes to mind), and if for some reason they didn’t have it, when we’re talking about public leaks they could simply grab it off the web. Certainly there have been times in the past where I’ve provided this class of data to organisations myself so there are certainly options.
This doesn’t solve the problem of data breaches nor does it absolve the organisation of their responsibility to actually protect it properly in the first place (which they evidently haven’t done), but it’s a small consolation to the users. After all, in the wake of an incident like this, it’s the customers who put their faith in the organisation that deserve to be put first.