How Not to Report a Data Breach
Aussie Tech Company sees details of 140 million users hacked.
Australian tech company Canva is facing criticism for the way in which they handled the aftermath of a data breach that saw the details of nearly 140 million users stolen in a data breach.
Just one week after a $70 million round of funding saw Canva’s valuation rise to USD $2.5-billion, a hacker by the name of GnosticPlayers contacted a ZDNet reporter to inform them they had breached Canva’s system and managed to “download everything up to May 17.”
“They detected my breach and closed their database server,” according to the hacker.
No credit card or financial details were captured by the hacker, however there is some fallout in the wake of Canva’s email to users. Twitter user Dave Hall pointed this out in a tweet to the company stating “this is not how you start an email telling your customers you’ve been breached.”
The email opened with the message that the company “spend[s] a lot of time and energy working to empower our community,” and then went on to tell users about its “acquisitions of free photography sites Pexels and Pixabay to give our community an additional one million free images to use.”
It wasn’t until the second paragraph that the company admitted that they had “become aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI),” the email read.
Another twitter user, Kathy Reid tweeted a public service announcement, in case users had assumed Canva’s email was “marketing fluff,” as she put it. Reid advocated for a “mandated template for this stuff,” pointing out that the company may have buried the real point of the email beneath the announcement of its acquisition.
James Turner, founder of CISO Lens which provides a forum for information security officers in Australia told the AFR that it “will be an uncomfortable experience, but has the potential to be a phenomenal turning point for the company, the users, and the broader Australian tech start-up scene.”
“The lesson for all startups needs to be that you can’t ride the upside of the Internet without appropriate risk identification and management,” Turner said.
According to ZDNet, with the latest hack, the hacker responsible for cracking Canva’s system “GnosticPlayers has now stolen over one billion user credentials, a goal the hacker told ZDNet in previous interviews he was aiming for. If anyone’s still keeping count, that’s 1,071 billion credentials from 45 companies.” While the Australian Financial Review, is reporting that “the same hacker has reportedly looked to sell the data of 932 million users stolen from 44 companies on the dark web since February.
Twitter user Dave Hall critiqued the company’s introductory message in the email, which Canva users might have assumed was a simple marketing message, when in actuality, the contents of the email were incredibly serious.