How to respond to a data breach

I cover a lot of data breaches. From inadvertent exposures to data-exfiltrating hacks, I’ve seen it all. But not every data breach is the same. How a company responds to a data breach — whether it was their fault — can make or break its reputation.

I’ve seen some of the worst responses: legal threats, denials and pretending there isn’t a problem at all. In fact, some companies claim they take security “seriously” when they clearly don’t, while other companies see it merely as an exercise in crisis communications.

But once in a while, a company’s response almost makes up for the daily deluge of hypocrisy, obfuscation and downright lies.

Last week, Assist Wireless, a U.S. cell carrier that provides free government-subsidized cell phones and plans to low-income households, had a security lapse that exposed tens of thousands of customer IDs — driver’s licenses, passports and Social Security cards — used to verify a person’s income and eligibility.

A misconfigured plugin for resizing images on the carrier’s website was blamed for the inadvertent data leak of customer IDs to the open web. Security researcher John Wethington found the exposed data through a simple Google search. He reported the bug to TechCrunch so we could alert the company.

Make no mistake, the bug was bad and the exposure of customer data was far from ideal. But the company’s response to the incident was one of the best I’ve seen in years.

Take notes, because this is how to handle a data breach.

Their response was quick. Assist immediately responded to acknowledge the receipt of my initial email. That’s already a positive sign, knowing that the company was looking into the issue.

The issue was fixed. Not every bug can be fixed immediately. But Assist quickly remediated this bug by fixing the misconfigured plugin and deleting the exposed files. TechCrunch confirmed that the images were no longer accessible a short while after our initial contact with the company, but found that the images were still found in Google search results. When contacted again, a spokesperson described the technical measures it put in place to block the pages from search results, and submitted an urgent request to Google to scrub the search results. TechCrunch held its story until the images were no longer accessible from search engines.

Assist acknowledged and explained what happened. Assist responded a short time after fixing the bug with a letter from the company’s legal counsel, explaining in detail what happened, what the company did to fix the issue and how it will notify its customers that their information was affected. It’s clear that it had a plan in place in the event of a data breach.

Notified vendor of the problem. Bonus points to Assist for also notifying the plugin maker, Imagify, of the issue that led to the misconfiguration. Imagify chief technology officer Tonya Mork told TechCrunch that the company investigated and resolved the issue in an upcoming fix. Assist was under no obligation to report the possible issue but did anyway for the good of the wider community.

But there are a couple of things that Assist — and other companies — could do better.

Have a dedicated security contact. Make it easier for hackers and security researchers to contact you. Simply by having a dedicated email for security issues on your website massively lowers the bar for hackers and security researchers to report bugs and vulnerabilities directly to you.

Publish a vulnerability disclosure policy. It’s becoming commonplace to publish a policy on your website that outlines how you respond to security vulnerabilities. These are often used in conjunction with bug bounty programs, which lets companies reward hackers and security researchers for reporting bugs to them directly.

Companies claim all the time that they take your security “seriously.” But spare a thought for Assist, which actually did everything right.