...or How To Report Password Attacks
Reputation.com just reported a security breach to users, with the email below. There are some great takeaways here for reporting breaches to your users:
- Be specific and explicit about what data is compromised - I think the bullet point list is great. More companies should be this straightforward.
- Get on it immediately - their users heard about this before the media did.
- Offer an incentive - a year of credit reporting is a nice thing when your personal data has been compromised.
- Immediately change the password of every user affected - users are fallable and don't check their email every minute so it's better not to wait on them.
- "Only the jurisdiction of North Dakota requires us to disclose information about this incident. However, out of an abundance of caution..." Yes. Reputation.com's contract is with the user, not with the state. Following the "letter of the law" in a password breach underserves your userbase. Legislation around data privacy is spotty. By going beyond the required transparency and contacting everyone, the company not only protected themselves, but started on the path of rebuilding trust with their users. (That said, pointing out to users that you don't have to tell them when you've been breached might not make you any friends).
A few things they could have done differently:
- It's great to know their passwords were salted and hashed. I would like to know what algorithm they are using to protect my data.
- Users should know if they were impacted specifically.
- Given that passwords are often used for multiple websites and that personal information like email, occupation, and address was also accessed, they may be downplaying the follow-on effect of losing those credentials.
