The nightmare of every Internet Service Provider has materialized in The Netherlands where KPN company, one of the main ISPs, has stopped providing any email services after a group of hackers published the credentials of more than 500 customers on the internet.
The management of the incident and the delay in informing customers of the breach have come under heavy attack. According to our latest information, the incident occurred towards the end of January but the company, in collaboration with law enforcement and the Dutch government, had decided to maintain secrecy, in order to allow officials to investigate the matter well away from the prying eyes of the media.
Right or Wrong?
This decision has exposed customers to serious risk of fraud and espionage.
We must take into consideration that customers tend to authenticate with the same credentials across several online services like other email accounts, social network profiles and financial services.
News of the breach leaked out on February 8th, only three days after KPN ceased all email services due to the hacked credentials being posted on PasteBin.com. KPN provides services to over two million Dutch users, and the concern is that the approx. 500 leaked credentials aren’t the only ones compromised.
I firmly believe that such incidents should be managed with full transparency, informing the users immediately. Email today has become a primary method of transmitting sensitive data, although this is generally is highly unadvised.
Immediately informing the user could prevent not only fraud, but also further attacks on other systems on the Internet. This factor is completely ignored and the decision to keep secret the event which occurred at KPN is proof.
I find it interesting to compare the methods in which similar incidents have been handled. Symantec, Stratfor, T-Mobile, RSA,Verisign, Diginotar have all suffered breaches recently, and each one handled the incident differently. They all have one common factor, and that is the obscuring of details pertaining to the incident.
Pro-active response to issues like these can help prevent further damage, and the benefits IMHO far outweigh any gained from maintaining secrecy.