KPN hacked, who and when warned users?

The nightmare of every Internet Service Provider has materialized in The Netherlands where KPN company, one of the main ISPs, has stopped to provide any email services after that a group of hackers has published the credentials of more than 500 customers on the internet.

Once again to be discussed is the incident management and the delay with which customers were informed on the data breach. According the first information available on the event the incident has been observed on January but the company, after being confronted with law enforcement and Dutch government, has decided to mantain secret what is happened.
Objective of this delay seems to be related to the need to give more time to conduct the investigations far from media noise.

Right or Wrong?

The choice has been taken to preserve the work of the law enforcement but it has exposed the customers to serious risk of fraud and espionage.
We must take in care that usually customer share same credentials for several services on internet like other email and financial services.

The commnication of the data breach has been provided only on February 8th and only three days after the company KPN has stopped all email services due the presence on the web site PasteBin.com of the stolen credentials. KPN provides services to more than two million Dutch users and the greater concern is that there are more of 500 customers credentials compromised.

Personally I am convinced that such incidents should be managed with full transparency, informing immediately the users. The email today has taken an extraordinary importance, through this channel infact travels a great deal of information sometimes improperly.
Immediately informing the user could prevent not only fraud, but also further attacks on other systems on the Internet. This factor is completely ignored and the decision to keep secret the event occurred at KPN is the proof.

I have read on many web sites about the robustness of the password used but frankly I think that this is the last of the problems. The credential were stored in plain text in a repository that has been exposed, that is absurd. The failure on implementation of the basic security procedures should be recognized internationally as an offense for which  must be provided heavy penalties.

I find it interesting to compare the ways in which these incidents have been disclosed to the media and customers themselves. Symantec, Stratfor, T-Mobile, RSA, Verisign, Diginotar … for each event we have received a different and not satisfactory answer.

A common line in all the incidents would seem to be the intent to not provide a clear and comprehensive picture of the facts. Delays, denials and sometimes hidden truths are main concerns for a user in which I recognize myself.
Fundamental to cope with events like these I think it is a close collaboration between users and company victims of the attack. Only in this way it is possible to reconstruct the tear in the relationship of trust between the parties, and through a collaborative approach it is possible reduce the risk of a domino effect related to the disclosure of stolen information.
Security is a value, not a cost, that is the key concept.

Pierluigi Paganini

References

http://pastebin.com/N2D3MNau

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

4 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

11 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

22 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.