Ever had that awkward convo when you’re trying to ring a warning bell to someone and they’re simply not picking up on it? It ruddy happens more often than you’d think, especially in cyber arena and companies. I know it sounds crackers but it’s true. There’s trouble a brewing for firms that don’t have effective and clear communication channels for individuals to report security issues, and bang goes their consumer’s data: exposed and vulnerable for all the unwanted taking.
Let me spin you a yarn about this company named Roomster. Bless ’em! They definitely have a kink to straighten out in that department. Tripped right up over something that could have been so basic. Now stick with me here, I’ve got a bit of a story to tell.
So, Roomster, a housing solution company, was pinged by a wonderful chap, well-known as a security researcher on Twitter, who goes by the handle ‘JayeLTee’. Despite all his jolly efforts to notify Roomster of a data breach vulnerability, the poor chap’s warning was repeatedly ignored. Can you believe that? JayeLTee was sleuthing about Roomster’s entire website, looking for any contact info he could find to alert them of the brewing storm. He finally spotted an email address buried deep in Roomster’s privacy policy, cheeky spot to hide it, don’t you think?
He dropped them a line, explaining the vulnerability, and waited…and waited. Not just once, but thrice! Good ol’ Jaye stopped just short of sending a carrier pigeon! But did Roomster troubleshoot the source and fix the problem? Not on your nelly. Instead, they blocked JayeLTee and deemed him suspicious. Roomster got it all terribly wrong.
Roomster’s defence didn’t do them any good either. The company justified its woeful inaction by doubting JayeLTee’s intentions, since he had reached out to them under a password-protected handle. They were suspicious that JayeLTee might be attempting an ‘extortion’; thus they didn’t bother opening or reading his alerting emails.
Hang about! Just a quick Google search on “@JayeLTee” brings up that he is known for researching leaks and security issues – not too difficult to corroborate, right? Now where did all the common sense run off to? On top of that, when Roomster finally did speak up, it wasn’t to challenge JayeLTee’s findings, but to nitpick over his use of pseudonyms. Classic case of looking straight at the forest but missing the trees!
Apart from the lesson in how not to handle a security breach, there’s also a need for a reality check on the use of pseudonyms. It has been a common practice to protect one’s identities for fear of falling foul of threats, intimidation or expensive litigation by let’s say, “not so pleased” companies. It doesn’t take away their credibility or accountability. It’s simply a sensible step towards self-preservation – basic human instinct, really.
The US Federal Trade Commission (FTC) has been dishing out helpful advice on cyber alerts – provide a clear and accessible channel to receive security vulnerability reports. Further, FTC encourages businesses to pay heed to credible security warnings and swiftly act to resolve them. Roomster, and similar companies, most definitely have much to take away from the FTC’s warning.
Now, I’m just a lad with an opinion, commenting on things both big and small. But even I can see the glaring missing link here. So here’s a tiny piece of advice, from one Brit to another, make sure you have a clear way for folks to get in touch and report security concerns promptly. After all, we all have a common aim – to keep our digital lives secure. Why not make it a simple, straightforward journey. Is that too much to ask for? Let’s hope not.
by Parker Bytes
