Last weekend, along with countless employees and ex-employees of Microsoft, Amazon, Expedia, and Premera itself, I received a breach notification signed by Premeraâ€™s President & CEO, Jeffrey Roe.
Hereâ€™s a few things I think can already be learned from this letter and the available public information:
Whenever I see the phrase â€śsophisticated cyberattackâ€ť, not only am I turned off by the meaningless prefix â€ścyberâ€ť, which seems to serve only to â€śbaffle them with bullshitâ€ť, but Iâ€™m also convinced that the author is trying to convince me that, hey, this attack was just too amazing and science-fictiony to do anything to stop.
All that does is push me in the other direction â€“ to assume that the attack was relatively simple, and should have been prevented and/or noticed.
Granted, my experience is in Information Security, and so Iâ€™m always fairly convinced that itâ€™ll be the simple attacks, not the complex and difficult ones, that will be the most successful against any site Iâ€™m trying to protect. Itâ€™s a little pessimistic, but itâ€™s been proven right time and again.
So, never say that an attack is â€śsophisticatedâ€ť unless you really mean that the attack was way beyond what could have been reasonably imagined. You donâ€™t have to say the attackers used simple methods to get in because your team are idiots, because thatâ€™s unlikely to be entirely true, either. Just donâ€™t make it sound like itâ€™s not your fault. And donâ€™t make that your opening gambit, either â€“ this was the very first sentence in Premeraâ€™s notification.
â€śsome of your personal information may have been accessedâ€ť
Again, this phrasing simply makes me think â€śthese guys have no idea what was accessedâ€ť, which really doesnâ€™t inspire confidence.
Instead, you should say â€śthe attackers had access to all our information, including your personal and medical dataâ€ť. Then acknowledge that you donâ€™t have tracking on what information was exported, so you have to act as if it all was.
The worst apologies on record all contain some variation of â€śIâ€™m sorry youâ€™re upsetâ€ť, or â€śIâ€™m sorry you took offenceâ€ť.
Premeraâ€™s version of this is â€śWe â€¦ regret the concern it may causeâ€ť. So, not even â€śsorryâ€ť. And to the extent that itâ€™s an apology at all, it is that we, current and past customers, were â€śconcernedâ€ť.
Premera Blue Cross (â€śPremeraâ€ť) â€¦
â€¦ Information Technology (IT) systems
As if the lack of apology didnâ€™t already tip us off that this document was prepared by a lawyer, the parenthetical creation of abbreviations to be used later on makes it completely clear.
If the letter had sounded more human, it would have been easier to receive as something other than a legal arse-covering exercise.
The letter acknowledges that the issue was discovered on January 29, 2015, and the letter is dated March 17, 2015. Thatâ€™s nearly two months. And nearly a year since the attackers got in. Thatâ€™s assuming that youâ€™ve truly figured out the extent of the â€śsophisticated cyberattackâ€ť.
Actually, thatâ€™s pretty fast for security breach disclosure, but it still gives the impression to customers that you arenâ€™t letting them know in enough time to protect themselves.
The reason given for this delay is that Premera wanted to ensure that their systems were safe before letting other attackers know about the issue â€“ but itâ€™s generally a fallacy to assume that attackers donâ€™t know about your vulnerabilities. Premera, and the health insurance industry, do a great job of sharing security information with other health insurance providers â€“ but the attackers do an even better job of sharing information about vulnerable systems and tools.
Which leads us toâ€¦
If your company doesnâ€™t have a prepared breach disclosure letter, approved by public relations, the security team and your lawyers, itâ€™s going to take you at least a week, probably two, to put one together. And youâ€™ll have missed something, because youâ€™re preparing it in a rush, in a panic, and in a haze while youâ€™re angry and scared about having been attacked.
Your prepared letter wonâ€™t be complete, and wonâ€™t be entirely applicable to whatever breach finally comes along and bites you, but itâ€™ll put you that much closer to being ready to handle and communicate that breach. Youâ€™ll still need to review it and argue between Security, Legal and PR teams.
Have a plan for this review process, and know the triggers that will start it. Maybe even test the process once in a while.
If you believe that breaches could require a credit notification or ID tracking protection, negotiate this ahead of time, so that this will not slow you down in your announcement. Or write your notification letter with the intent of providing this information at a later time.
Finally, because your notification letter will miss something, make sure it includes the ability to update your customers â€“ link to an FAQ online that can be updated, and provide a call-in number for people to ask questions of an informed team of responders.
Thereâ€™s always more information coming out about this vulnerability, and I plan to blog a little more about it later.
Let me know in particular if thereâ€™s something youâ€™d like me to cover on this topic.