Behold! The Worst Breach Response!
In the last five years, I have seen a fair number of breaches and most of them are similarly—notify appropriate authorities, stop any further damage, investigate, and alert affected parties. Of course, these breaches happen more often than we would like to admit, but when a company botches their own response through a series of missteps, that is how we get to the worst breach response in recent history.
A Truly Epik Breach
Epik is a company known for hosting mostly right-wing websites. Because of this, the hacker collective known as Anonymous targeted Epik and over an unknown period of time; infiltrated their servers; and collected all the information they could, hundreds of gigabytes of data. Everything from payments, hosting information, customer information, and more was revealed when Anonymous dumped the data for the public to see. This happened on September 13th of 2021, but the data appeared to originate from February of the same year.
When this dump happened, Epik was asked for comment and responded that they were “unaware of any data breach.” While this seems innocent, the idea that a company is not aware of something that is now public knowledge is alarming. It shows a lack of understanding or awareness of their own servers. You do not want to comment on something that you are not fully informed about.
This was the first of many missteps. Further analysis of the leaked information showed data such as passwords or other sensitive data was sometimes stored in plain text.
It Gets Worse
Files being leaked is nothing new, but imagine having the entire system you use leaked. On September 29th, Anonymous released another 300 gigabytes of data, but it was the entire bootable image of Epik’s systems. This means APIs or other applications that required that server to work could be run, at least in theory, by anyone. In addition, there are no more secrets as to what Epik was doing, or at least one would think. On October 4th, even more documents, including those from the Texas Republican Party were leaked along with more bootable disk images.
Foot, Meet Mouth
Normally a company would get ahead of the problem and release statements to quell unease of stakeholders. Epik’s CEO, Robert Monster decided the appropriate tactic was to respond to the breach through a live video conference. Epik had acknowledged an alleged incident at this point. One would expect the use of Zoom or some other video conference system, but Epik used PrayerMeeting.com. It is still a video meeting website, so it isn’t completely out of the blue. The content of this meeting was, however.
Monster held this meeting for more than 4 hours. He did admit there was a breach, which is good, but quickly derailed the conversation with what can only be considered meme-worthy content. Hackers and many others began flooding the conference, including members of Anonymous which prompted response from Monster. Also, some people notably affiliated with neo-nazi groups were there and Monster regarded them with “much love,” as well as allowing them to speak on irrelevant topics, only muddying the already murky waters of this conference. This person is not a part of Epik’s staff and is only serving to make them look worse. Do not let unassociated groups or people be a part of your breach response.
Later, Monster would break into prayer and then claim that the drives which contained stolen information were in fact cursed to burst into flame. It is unclear at this time what the legal basis is for processing personal information for the purpose of cursing said information.
How to Avoid This
There are some pretty key takeaways here. They include the following:
- Know what you will say and stick to the script
- Encrypt your information
- Investigate alleged breaches
- Do not comment on topics you are not fully informed on
- Have a security program based on best practice, not metaphysical influence
- Do not let non-related parties be part of your press response
There is more here of course, but this was a true comedy of errors. I am hard pressed to think of a worse response to a breach, but hopefully, I never get to find one.