KPN Hack: Why was Customer Notification Delayed?

Monday, February 13, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

The nightmare of every Internet Service Provider materialized in The Netherlands where KPN, one of the main Internet Service Providers, has suspended email services after a group of hackers published the account credentials of more than 500 customers.

KPN provides services to more than two million Dutch users

Once again, what needs to be discussed is incident management and the long delay before customers were informed of the data breach.

According the first information available on the event, the incident had originally been detected in January.

But the company, after being confronted by law enforcement and the Dutch government, decided to maintain silence about what really happened.

The objective of this delay seems to be related to the need to give more time to conduct the investigations far from media scrutiny.

Right or Wrong?

It is said that the choice was made to preserve the work of the law enforcement, but it has unnecessarily exposed the compromised customers to serious risk of fraud and espionage.

We should be concerned that customers quite often use the same credentials for several services on the Internet like other email and financial services.

Notice of the data breach was not provided until February 8th, and that was only three days after KPN had suspended all email services due the posting of the stolen credentials on the website PasteBin.com.

Personally, I am convinced that such incidents should be managed with full transparency by immediately informing the victims, as email today has taken on extraordinary importance and is used to transmit a great deal of sensitive information.

Immediately informing the victims could prevent not only fraud, but also further attacks on other systems on the Internet. This fact is completely ignored by the decision to keep secret the event that occurred at KPN.

I have read on many web sites about the lack of robustness of the password used, but frankly I think that this is the least of the problems.

The credentials were stored in plain text in the repository that had been exposed, and that is absurd. This is a failure of implementation of the basic security procedures that should be recognized internationally, and is an offense for which there should be heavy penalties.

I find it interesting to compare the ways in which several incidents have been disclosed to the media and customers themselves: SymantecStratforT-Mobile, RSA, Verisign, Diginotar ... for each event we have seen a different approach, and none provided were satisfactory. 

A common theme in all the incidents would seem to be the intent to not provide a clear and comprehensive picture of the facts in a timely manner. Delays, denials and sometimes hidden truths are major concerns for users.

Fundamental to coping with events like these is a close collaboration between compromised users and the companies who were targets of the attack.

Only in this way it is possible to repair the damage in the company/client relationship and trust between the parties, and through a collaborative approach it is possible reduce the risk of a domino effect related to the disclosure of stolen information.

Security is a value, not a cost, that is the key concept.

References

Cross-posted from Security Affairs

Possibly Related Articles:
7569
Breaches
Information Security
Data Loss Email Passwords Full Disclosure ISP Mandatory Reporting breach Law Enforcement Netherlands Customers Pastebin Pierluigi Paganini KPN Internet Service Provider
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.