How not to disclose a breach

Canva, the popular Australian online design startup, suffered a significant breach on Monday.

Data for roughly 139 million users was stolen by a hacker using the nom de guerre GnosticPlayers – who was actually first to tip-off journalists that the hack had taken place.

The depth and detail of stolen information is impressive. It included:

• Usernames
• Real names
• Email addresses
• City & country information
• Google tokens, used to enable access to the site without setting a password
• Password hashes for 61 million users

The passwords where scrambled with bcrypt, thought to be one of the most secure password-hashing algorithms. They were stolen in their encrypted form so should be un-readable.

Nonetheless, accomplishments like that have given GnosticPlayers a street rep in security circles. She, or he (possibly they) have attempted to auction off the personal details of 932 million people since February, nicked from 44 companies around the globe.

The Canva hack raises the tally to over 1 billion.

Poor Communication

While the specific vulnerability hasn’t been disclosed, it’s the initial response to the breach that Canva seems to have flubbed.

A few days prior the company had completed two large acquisitions and launched a new premium online service, then saw its valuation set at $2.5 billion following a new round of funding.

All great news for Canva – but they decided to make those win announcements in the same email that alerted users they might have had their personal details stolen.

Social media quickly lit up, with the company roundly mocked & criticised for delivering marketing fluff that muddied receipt of important security information.

The company reacted with a second email that led with the details of the breach. But it looks like some users received the first version, while others received the second.

Some have said they’ve had no communication from Canva at all.

Badly mixed messages

Admittedly the timing is awkward for the company – a string of major wins and major breach in the same week.

But mixing the two messages in one communication is more than a bit off. Like patting yourself on the back while admitting a serious failure. It’s an odd pairing.

Canva also waited too long to alert users. By sitting on the information and allowing the news to be announced first by the press, the company risked creating an impression that they didn’t know about the breach, or at best were not in control.

They found themselves backed into a corner where they had to ‘confirm or deny’ what journalists were reporting. At almost every stage, it’s the hacker who seemed to be calling the shots.

For a company gearing up for global expansion, the reputational damage of that could be serious.

Surveys have shown that customers will abandon a brand following a major security incident, with companies being judged by both how well they protect data, and how they respond to a breach.

• Brand reputation suffers a big hit, with 41 percent of British consumers saying they will steer clear of a brand forever following a hack.
• Fifty five percent of UK consumers felt their local shop would be a better custodian of data than a large company – with a smaller business being a less likely target for hackers, and more likely to care about its reputation.
• Consumer-facing organisations are particularly vulnerable to a lingering sales drop when data is hacked, with up to a third of consumers saying they will take their business elsewhere once a company has been breached.

In addition, companies that have experienced a breach often find the cost of acquiring new customers goes up.

That process won’t be made easier if the public reaction to a breach is tin-eared and scattershot.

Your customers want cyber assurance

Whether you’re a VC-backed tech unicorn, local council, or mid-sized manufacturing firm, organisations of all sizes need to work harder when it comes to making customers feel secure.

Hacks and data loss are now a regular feature of the business landscape, and will be for the foreseeable future. The full price Canva will pay for this breach might not be apparent for months.

Costs can be minimised by how well a company reacts. Alongside crisis communications planning, organisations also need to continually assess their security posture – as well as the level of awareness inside the organisation of how sensitive the issue of privacy and data protection has become for end users.

Getting this wrong, or allowing a perception to develop that your organisation doesn’t have its priorities straight where information security is concerned, could be a business killer.