That said, it is surprising when an organization correctly handles communications in response to a cyber incident, which is why this week's cyber-insecurity news from the genealogy site MyHeritage.com--a low-impact breach by any standard--is newsworthy.
Now, before I go any further, the praise freely given here comes with a claw-back provision: The way MyHeritage handled this cyber incident, if accurate, is 100 percent praiseworthy. In fact, it's one of the best notifications I've seen. That said, it is not uncommon for companies to try to get in front of a breach story with part of the truth, followed by a slow trickle of revelations after the initial negative headline has been absorbed by the news cycle.
Assuming this is not a case where other shoes will be dropping with the thud of carefully manipulated damage control, MyHeritage did everything right.
Urgent, transparent, and empathetic
First, MyHeritage was urgent. It released news of the event the day the company found out that 92,283,889 user email addresses coupled with hashed passwords associated with personal MyHeritage accounts had been found on an outside server. The statement was clear and detailed.
Second, MyHeritage was transparent, providing minute details of not only what the company knew, but what it was doing to find out more, and how the incident might affect the over 92 million people who had accounts on the site.
Finally, the company was empathetic. It established a customer call line set up before releasing the day-of statement about the incident, where anyone could get information and guidance.
Here's what urgency looks like: "Today, June 4, 2018 at approximately 1pm EST [sic], MyHeritage's Chief Information Security Officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage."
Here's what transparency looks like: "Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords."
And here's what empathy looks like: "MyHeritage users who have questions or concerns about this incident can contact our security customer support team via email on email@example.com or by phone via the toll-free number (USA) +1 888 672 2875, available 24/7."
Why it matters
So, now for the bad news. There is no such thing as a nothing-burger cyber incident. Email addresses are considered a low-level threat in a breach situation because we use them in so many public-facing ways.
Phishing is a serious problem with an incident of this variety. Consider, a would-be attacker knows that a spoofed email from MyHeritage.com will be reaching an active user. The social engineering of this particular exploit isn't too hard: "We found a new relative" might work, for instance. Doubtless other forays in a similar vein would also succeed, such as "In light of the recent cybersecurity incident, please click here to reset your password."
If you are among the 80 percent of consumers who reused passwords across multiple sites last year--a practice called daisy-chaining--the "low-threat" exposure of your email address combined with phishing could have high-impact consequences. Many accounts where security is an issue, such as banks, health insurance, and the like, are linked to an email account, so if a hacker can get control of your email, they can drill down into many areas of your life.
Room for improvement?
The MyHeritage incident report includes a discussion of what the company will do next to protect its users: It will implement two-factor authentication.
Now, even when a movie gets a stellar review, there are usually a few observations about weak spots. This is the cybersecurity version of that. Security these days, to be useful and effective, must require a few things from the consumer: Something he or she is (biometrics), something he or she knows (a password, avatar, etc.), and something he or she has (a phone for two-factor authentication).
If you are rolling your eyes about two-factor authentication, I can only counter that it is preferable to crying them out when your bank account is drained because you didn't enable it. The shortfall here is one that is not unique to MyHeritage. Things are getting better all the time, even as we experience some of the biggest data exposures since personal information became a fungible asset.
There is no such thing as perfect when it comes to cybersecurity, but when a company approaches something resembling perfection--as with the way the MyHeritage team handled this notification--it's worth taking notice.