UK security company Keepnet Labs has publicly confirmed that a database it had collated containing more than five billion records from past data breaches was “briefly exposed” on the internet.
If you think you’ve heard about this before, you’re right.
I first reported on the security breach back in March, following the initial discovery of the exposed data – which could be accessed without a password or any authentication – by security researcher Bob Diachenko.
Now, if I was a security firm which found itself embroiled in an embarrassing breach like this I think I would be keen to be transparent about what had occurred, and share what I had done to ensure that similar problems did not occur again.
Honesty, after all, is the best policy – and by apologising and behaving openly you can actually build trust inside this crazy industry of ours.
But Keepnet Labs didn’t do that. Instead, it contacted media outlets requesting that their name be removed from the news reports.
It even contacted people who had simply been quoted in the news reports (individuals who didn’t even name Keepnet Labs in the quote they offered journalists) and threatened them with legal action unless they somehow withdrew their comment.
I was one of the blogs that Keepnet Labs contacted.
But as far as I could see, I hadn’t made any mistakes in my article.
I gave Keepnet Labs multiple opportunities to tell me what was incorrect in my article, or to offer me a public statement that I could include in the article. I told them I was keen to present the facts accurately.
Here’s part of one email I sent Keepnet Labs:
I continue to offer you a right of reply on my website. I am happy to include an update on the existing article containing a statement from your company, refuting the claim (if you wish) and (if you wish) clarifying what actually happened. I’m sure this would be a big reassurance for your customers and potential future customers.
I could quote from our email exchanges – indeed I could have done this weeks ago – if you are uncomfortable crafting a formal statement, but I’m not keen on quoting private correspondence without the permission of the other party.
Do please let me know how you would like to proceed so we can close this matter as quickly as possible. I’m confident that a brief statement from KeepNet Labs republished on my site could resolve this issue by the end of the day!
But Keepnet Labs didn’t want to offer a statement, or talk publicly about what happened.
Instead, earlier this month, Keepnet Labs threatened me with legal action for publishing an article naming them in relation to the security breach, and demanded I removed their name from the article.
One of the oddities of this letter is that they say the offending statement is:
“Keepnet Labs Breached Customer Data or 5B+ records”
However, these are words that never appeared in my article. To be clear (and I’m sure you could use the Wayback machine if you wanted to check), at no point did I claim that Keepnet Labs customers had been impacted by the security breach.
Anyway, after weeks of failing to get any co-operation from Keepnet Labs about what actually happened, and unwilling to enter a time-wasting legal tussle, I decided to remove their name from my article.
I announced on Twitter that the article had been updated and why, although I was careful not to mention Keepnet Labs.
Following a legal threat from ███████ ████ I have removed their name from this article on my site:https://t.co/kQOzgzoVHa
I hope readers will accept my apologies for what is clearly unsatisfactory, but I can ill-afford to get embroiled in a legal fight. pic.twitter.com/zcIkqirwb9
— Graham Cluley 🇺🇦 (@gcluley) June 3, 2020
What’s news now is that Keepnet Labs – sorry, ███████ ████ – has issued a public statement about the security breach which occurred two months ago.
I suspect Keepnet Labs only issued its statement because of the dogged determination of Rob Scammell, deputy editor of Verdict, and the army of Twitter users who responded to my tweet by using their ingenuity to uncover who the company was that had gagged me.
In its newly-published public statement, Keepnet Labs says it “accepts full accountability for this incident” but blames it on an unnamed third-party service provider to which it had outsourced the database management.
Keepnet Labs is also keen to underline that none of its customer data was exposed. The exposed data was data collected from past security breaches.
Which is, of course, what I said in my article.
Just to be clear, and for the record, I welcome Keepnet Labs publishing a public statement about the data exposure. I think that’s a good thing they have done.
They should, of course, have done it back in March rather than waiting for June. Taking so long to make a statement and trying to get your name removed from news articles isn’t a good look. Especially for a security firm.
Security firms should be examples for all businesses on how to behave after a security breach. Transparency, disclosure of what went wrong, and what steps are being taken to ensure that something similar doesn’t happen again are key to building trust and confidence from customers and the rest of the industry.
Disclosures of failure can be painful, but they ultimately are less embarrassing and damaging than cover-ups. Most of us in the industry accept that accidents can happen, and mistakes can occur. We should own up to our mistakes in a prompt fashion and lead by example.
Keepnet Labs would have done well to publish its statement at the time the breach was disclosed and work with the news agencies and bloggers to give their side of the story rather than against them.
Keepnet Labs’s failure to to respond in a timely and transparent fashion, and their attempt to remove themselves from the story, made this a much bigger deal than it ever would have been otherwise.
To hear more about what happened, check out this episode of the “Smashing Security” podcast.