The nightmare of every Internet Service Provider has materialized in The Netherlands where KPN company, one of the main ISPs, has stopped to provide any email services after that a group of hackers has published the credentials of more than 500 customers on the internet.
Once again to be discussed is the incident management and the delay with which customers were informed on the data breach. According the first information available on the event the incident has been observed on January but the company, after being confronted with law enforcement and Dutch government, has decided to mantain secret what is happened.
Objective of this delay seems to be related to the need to give more time to conduct the investigations far from media noise.
Right or Wrong?
The choice has been taken to preserve the work of the law enforcement but it has exposed the customers to serious risk of fraud and espionage.
We must take in care that usually customer share same credentials for several services on internet like other email and financial services.
The commnication of the data breach has been provided only on February 8th and only three days after the company KPN has stopped all email services due the presence on the web site PasteBin.com of the stolen credentials. KPN provides services to more than two million Dutch users and the greater concern is that there are more of 500 customers credentials compromised.
Personally I am convinced that such incidents should be managed with full transparency, informing immediately the users. The email today has taken an extraordinary importance, through this channel infact travels a great deal of information sometimes improperly.
Immediately informing the user could prevent not only fraud, but also further attacks on other systems on the Internet. This factor is completely ignored and the decision to keep secret the event occurred at KPN is the proof.
I have read on many web sites about the robustness of the password used but frankly I think that this is the last of the problems. The credential were stored in plain text in a repository that has been exposed, that is absurd. The failure on implementation of the basic security procedures should be recognized internationally as an offense for which must be provided heavy penalties.
I find it interesting to compare the ways in which these incidents have been disclosed to the media and customers themselves. Symantec, Stratfor, T-Mobile, RSA, Verisign, Diginotar … for each event we have received a different and not satisfactory answer.
A common line in all the incidents would seem to be the intent to not provide a clear and comprehensive picture of the facts. Delays, denials and sometimes hidden truths are main concerns for a user in which I recognize myself.
Fundamental to cope with events like these I think it is a close collaboration between users and company victims of the attack. Only in this way it is possible to reconstruct the tear in the relationship of trust between the parties, and through a collaborative approach it is possible reduce the risk of a domino effect related to the disclosure of stolen information.
Security is a value, not a cost, that is the key concept.
Pierluigi Paganini
References