BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Silent Circle claims major companies not declaring data breaches

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 26 Sep 2013 23:52:21 -0600
http://www.theguardian.com/technology/2013/sep/26/silent-circle-major-companies-data-breaches

Major companies are failing to disclose data security breaches, a secure
communications company has claimed.

The co-founder of Silent Circle, which closed its secure email service over
concerns that it could not guarantee users' privacy from
government-mandated surveillance, claimed that corporate users have
admitted data breaches that have not been disclosed to shareholders.

“We’re like digital priests,” said Mike Janke, chief executive of the
service. “Everybody calls us, or comes to our office, and tells us just
every dirty thing that’s going on.

"I sat and spoke with the chief information officer of a Fortune 500
company, and he’s telling me that they’re not reporting 80% of their data
breaches. And I’m going, ‘there’s a law against that'.

“Customers of ours disclose that they’re being breached, weekly, and they
don’t disclose it to shareholders.”

That revelation comes against the background of a major investigation by
security website Krebs on Security which revealed that some of America’s
biggest data broker firms may have been unwittingly compromised.

SSNDOB is a site trading stolen personal information and achieved notoriety
after leaking the Social Security numbers for celebrities like Jay Z and
Michelle Obama.

Krebs found that “the miscreants behind this ID theft service controlled at
least five infected systems at different US-based consumer and business
data aggregators,” including Dun & Bradstreet, Kroll Background America,
and LexisNexis.

“We have identified an intrusion targeting our data, but to date have found
no evidence that customer or consumer data were reached or retrieved,”
Aurobindo Sundaram, vice president of information assurance and data
protection at the parent company of LexisNexis, Reed Elsevier, told Krebs
on Security.

“Because this matter is actively being investigated by law enforcement, I
can’t provide further information at this time.”

Email is 'fundametally broken'

Janke explained the decision to close down Silent Circle's email service,
part of a suite of encrypted communications tools across a number of
platforms.

“Email is different. It’s fundamentally broken,” Janke said, comparing the
protocol to services built from the ground up for security.

“The architecture was made 40 years ago. Imagine I’m sending you a letter
in an envelope: this is encrypted email. They can’t open the letter to read
what I wrote you – right, yet. But where it was from, my GPS location, what
time, who I bcc’ed, the subject line.

“We were sitting on metadata, so that we knew it was only a matter of time
before someone would come to us. Email was different – the rest of our
products have no metadata, no IP logging, no way – but email was
fundamentally broken.”

Silent Circle’s email application was hugely popular – “We became
profitable like that,” Janke said, snapping his fingers – but when a
similar service, Lavabit, closed its doors without warning, the company
re-examined its business.

Lavabit had garnered unwelcome attention for providing services to Edward
Snowden, the whistleblower who disclosed the level of internet surveillance
being conducted by the National Security Agency in the US.

Silent Circle then decided to shut down the service to avoid becoming
“complicit in crimes against the American people”.

“We have been developing an email app that’s based upon our peer-to-peer
encryption,” Janke said, explaining his own decision to follow suit.

“We thought we’d have it done sooner, so this email [app] that we put out,
the encrypted email, was a stop-gap. We thought we could put it out, and
then replace it with the new. But we became a lot more popular than we
thought around the world.

“We don’t know our customers, so the only way to communicate with them is
to maybe put a blog post out, saying we’re going to shut email off in 12
hours. That’s like saying ‘all the world’s law enforcement, you got 12
hours to subpoena us.’ No. So, John, myself and [co-foubder] Phil
[Zimmerman, inventor of the PGP security system], we made the decision to
scorch earth. Gone.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: