Target breach notifications are a perfect example of what not to do

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pcworld.com/article/2089104/target-breach-notifications-are-a-perfect-example-of-what-not-to-do.html


Hopefully your company will never be the victim of a massive data breach.
If it is, though, and customer data is compromised, make sure you don’t
follow Target’s lead when it comes to notifying customers. Target’s
customer notification efforts are wrong on almost every level.

Customers are conditioned to not click on links in email messages. In the
wake of a massive data breach like Target experienced, phishing scams often
try to exploit the heightened awareness by sending out emails that look
very legitimate.

Security experts warn users to specifically avoid such emails following a
data breach, and remind users that a legitimate, reputable company would
not send you an email and ask you to click on a link.

Apparently, Target did not get that memo.

James Lyne, global head of security for Sophos, received an email from
Target—although he claims that he is not even a Target customer. There are
apparently many people receiving breach notification emails from Target who
did not shop at Target and are not affected by the breach.

Lyne dissected the email in a post on Forbes, breaking down point by point
all the ways Target failed. It uses a shady subdomain—“target.bfi0.com”
rather than just “target.com”—and directs users to click on a link
comprised of endless gibberish. The email is distributed using a
ridiculously suspicious-looking email address. In a nutshell, there is
nothing about the legitimate breach notification email from Target that
differentiates it in any way from a reasonably well-crafted phishing attack.

“What hope do users have of making a decision about the legitimacy of
emails when the good guys behave like this?” asks Lyne. “Target needs to
look closely at how it rebuilds consumer trust and suspicious looking
emails is not going to help.”

Try this

If you ever find your company in the unfortunate position of needing to
notify customers of a data breach and possible compromise of personal
information, this is not how you do it. The notification email should
originate from a domain that is instantly identifiable as your company. If
your Web domain is “pcworld.com”, the notification email should come from
“<SomeRelevantAddress>@pcworld.com”.

The notification should be just that—a notification. It should clearly
state the facts of the incident, and explain in simple terms what
information is potentially compromised, and what customers can do to
determine if they’re affected, and what they should do to protect
themselves and their personal data. It can provide a phone number for
customers to call, but it should not contain a link that customers are
expected to click on for any reason.

We can excuse Target to some extent for being the unfortunate victim of
such a massive data breach. It’s response to the breach, however, and these
very shady customer notification emails, are inexcusable.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.