Weekly Video: September 6, 2022
9–6–2022 (Tuesday)
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies. I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Tuesday, the first day back after the Labor Day holiday here in the US, and the start of the sprint to the end of the year.
This week is breaches, breaches, breaches - but with three very different ways to respond to the incident when it does happen. After looking at these three, you should have a pretty good sense of what a best practice response looks like.
And we’re going to cover these three stories in 5 minutes or less
Samsung’s Friday News Dump
IRS’ Own Goal
TikTok’s Big Problem
Samsung’s Friday News Dump
Samsung US announced late on Friday - heading into the Labor Day weekend here in the US - that they had suffered a breach.
Notably, the malicious activity began in July, and Samsung’s own notice points out that they became aware of customer impact on 4 AUG.
Their breach was announced by crisis communications firm Edelman - and we should acknowledge that using an outside PR firm is a recommended best practice. But the rest of the mechanics around this disclosure leave a lot to be desired, frankly.
First of all, while they insist that credit card and Social Security Numbers were not involved in the breach. Samsung has yet to answer questions around the size of the breach (i.e. how many customers were impacted), nor have they addressed why it took them nearly a month to disclose the breach - and only did so with a Friday News Dump heading into a long weekend.
The website they’ve put up for potentially impacted customers is similarly thin on details and heavy on platitudes - including the obligatory note that “security is a top priority.”
Unfortunately, opaque responses to incidents like this don’t exactly build trust, despite Samsung’s claim that they continue to “work to maintain the trust our customers have put into the Samsung brand for more than 40 years.”
Remember, Samsung has had some recent practice with this, as well - having been breached in March by the hacking crew Lap$u$. This one feels like a miss, to me, Samsung. And will probably feel like more of a miss as details come out (which, they inevitably will).
IRS’ Own Goal
Another breach disclosed this week comes from the United States’ Internal Revenue Service, who noted that they exposed some confidential information for 120,000 taxpayers.
It appears that the issue was a bug in the Tax Exempt Organization Search tool, which is designed to make public the required filings of non-profits in the United States (using form 990-T). Instead, for these 120,000 taxpayers, some data that shouldn’t have been made public, was.
Like Samsung, the IRS notes that it did not include SSNs, but the IRS did note that it discovered the issue itself, resolved the issue, reported the incident to Congress, and will be contacting the impacted taxpayers.
If I had to pick an issue for their response, it would only be this: the timeline of the incident is not fully disclosed (i.e. the employee discovered the issue on this date, it was resolved on that date, reported on this other date, etc.).
Timeline can be very important not only to gauge an organization’s ability to respond quickly, but also for impacted individuals to help better understand when that impact happened - especially those who are suffering additional impacts because their information has been exposed.
That said, reports did note that this data has been inadvertently available for over a year, so perhaps timeline isn’t as critical - but it would still be nice to know more about the response timing.
TikTok’s Big Problem
Finally, late of the long weekend, news of a potential breach at Chinese-owned social media network TikTok broke, with the threat actors asserting that they took nearly everything from a poorly secured Alibaba Cloud instance, and that the impact could scale to more than 2 billion users.
External security researchers have reviewed samples of the stolen data and indicate that it does, indeed, appear authentic, while TikTok is vehemently denying the issue - noting “Our security team investigated these claims and found no evidence of a security breach.”
As the story develops, there is potential that the data could be from a third party - though, in the end, it would be TikTok data, even if TikTok systems weren’t the one breached.
TikTok updated its statement later in the weekend to say “We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases.
Again, while that may be technically true, the potential impact here - at 2+ billion records - is something we’re going to want to watch very closely.
The challenge with scale is that it cuts both ways - when scale helps you build your revenue and business, it also scales the impact when bad things happen.
The TikTok breach, by the nature of the claims and the data and the company, will get much more attention in the coming days, and we’ll likely learn more. Time will tell if TikTok’s staunch denial was a wise strategy, or if they should’ve taken a different approach. Leading with “it wasn’t OUR systems, it was the systems of someone we gave user data to” isn’t a great look.
Fundraising
The dog days of summer are coming to a close, and especially at the end of August, activity slows as we head back to school and into a long weekend. We’re seeing that slowdown this week in the fundraising numbers - capping out at $1.6B in newly committed capital.
We’ve had a run of big weeks, so let’s not over-index this dip (even if last week was 10x this volume, two weeks before that was 20x, and three weeks before that was nearly 40x). Remember, it all adds up as dry powder to help these companies grow.
Best of luck to all the funds with new capital to deploy.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.
LINKS:
https://techcrunch.com/2022/09/02/samsung-data-breach/
https://www.samsung.com/us/support/securityresponsecenter/
https://thehackernews.com/2022/09/tiktok-denies-data-breach-reportedly.html