It used to be that large companies could control the news cycle. Used to be, that is.
Now, with social media, in reality, no one is in control of the news cycle.
Dow Jones, the parent company of the Wall Street Journal, whom you would think would know a thing or two about the news cycle, apparently has not sorted this out for itself yet.
So, what happened?
On May 30th, Upguard researcher Chris Vickery, who has been in the news on a regular basis lately due to his findings, found a dataset in the Amazon cloud with incorrect permissions on it. The dataset contained Dow Jones customer information and due to this error, it was accessible for download by anyone who had an Amazon web services account – likely millions of people. Vickery says that based on his analysis, he thinks data on around 4 million customers was exposed. Dow Jones says that it wasn’t that bad; their guess it that it only exposed data on 2.2 million customers.
For some reason, it took Dow Jones a week to change the permissions on this file. A week. Why did it take a week? One possible reason might be tied to their head of communications explanation that this wasn’t really a big deal. Just customer information. Nothing to see, keep moving.
In this Amazon S3 bucket were multiple files. Looking at the data, Chris found customer names, home and work addresses, Dow Jones account numbers, account details, last four of their credit cards, email addresses and other information. There were many files in this bucket and Chris didn’t download all of them, so who knows what else was there.
Dow Jones said that is wasn’t a breach. True, it wasn’t. Then again no one said that it was a breach, only that people who should not be able to read the data could read the data.
Dow Jones called that a data over-exposure. Well, certainly true – even though I have never heard that term used before. Over-exposure is what happens when you stay out in the sun too long or set the controls on your camera incorrectly. I have never heard anyone refer to leaking private customer information as a data over exposure.
Dow Jones Director of Communications Steve Severinghaus said that the data was over-exposed only on Amazon and not on the Internet. I guess we should feel better that only a few million people could download it rather than a few billion people. There is some validity to that, but a few million is a large number in its own right.
Dow Jones said that they were not going to issue a public announcement (not to worry, it is all over the media, so an announcement is not really needed) because passwords and credit cards weren’t leaked. Probably, also, because they were hoping they could sweep this breach under the rug.
While Dow Jones’ Wall Street Journal may have a paywall to stop nosy people from reading about the breach, The Register, The Inquirer, SC Magazine, and Upguard do not have paywalls.
These are just a few things that Dow Jones did wrong. You would think that they would have a crisis communications team. We certainly tell our customers that they need to have one. Maybe they do have one but this item just got out of control.
Any crisis communications team worth anything will tell you that hunkering down and hoping that no one will notice is a risky proposition. It did not work here and likely won’t work for you.
The odd thing is that the WSJ ought to know better. After all, they break embarrassing news stories for breakfast. And lunch. Even for dinner.
What were they thinking?