Tag Archives: Dow Jones

Why Crisis Communications is Important

It used to be that large companies could control the news cycle.  Used to be, that is.

Now, with social media, in reality, no one is in control of the news cycle.

Dow Jones, the parent company of the Wall Street Journal,  whom you would think would know a thing or two about the news cycle, apparently has not sorted this out for itself yet.

So, what happened?

On May 30th, Upguard researcher Chris Vickery, who has been in the news on a regular basis lately due to his findings, found a dataset in the Amazon cloud with incorrect permissions on it.  The dataset contained Dow Jones customer information and due to this error, it was accessible for download by anyone who had an Amazon web services account – likely millions of people.  Vickery says that based on his analysis, he thinks data on around 4 million customers was exposed.   Dow Jones says that it wasn’t that bad;  their guess it that it only exposed data on 2.2 million customers.

For some reason, it took Dow Jones a week to change the permissions on this file.  A week.  Why did it take a week?  One possible reason might be tied to their head of communications explanation that this wasn’t really a big deal.  Just customer information.  Nothing to see, keep moving.

In this Amazon S3 bucket were multiple files.  Looking at the data, Chris found customer names, home and work addresses, Dow Jones account numbers,  account details, last four of their credit cards, email addresses and other information.  There were  many files in this bucket and Chris didn’t download all of them, so who knows what else was there.

Dow Jones said that is wasn’t a breach.   True, it wasn’t.  Then again no one said that it was a breach, only that people who should not be able to read the data could read the data.

Dow Jones called that a data over-exposure.  Well, certainly true – even though I have never heard that term used before.  Over-exposure is what happens when you stay out in the sun too long or set the controls on your camera incorrectly.  I have never heard anyone refer to leaking private customer information as a data over exposure.

Dow Jones Director of Communications Steve Severinghaus said that the data was over-exposed only on Amazon and not on the Internet.  I guess we should feel better that only a few million people could download it rather than a few billion people.  There is some validity to that, but a few million is a large number in its own right.

Dow Jones said that they were not going to issue a public announcement (not to worry, it is all over the media, so an announcement is not really needed) because passwords and credit cards weren’t leaked.  Probably, also, because they were hoping they could sweep this breach under the rug.

While Dow Jones’ Wall Street Journal may have a paywall to stop nosy people from reading about the breach, The Register, The Inquirer, SC Magazine, and Upguard do not have paywalls.

These are just a few things that Dow Jones did wrong.  You would think that they would have a crisis communications team.  We certainly tell our customers that they need to have one.  Maybe they do have one but this item just got out of control.

Any crisis communications team worth anything will tell you that hunkering down and hoping that no one will notice is a risky proposition.  It did not work here and likely won’t work for you.

The odd thing is that the WSJ ought to know better.  After all, they break embarrassing news stories for breakfast.  And lunch.  Even for dinner.

What were they thinking?

Information for this post came from SC Magazine, Upguard and The Register.

 

New Information On Chase Breach

Many of you will remember that J.P. Morgan Chase was breached last year and the information on 76 million customers and 7 million businesses was taken.  The information included name and address information, but did not contain very much non public personal information.

Well, we are now hearing more information.

The U.S. Attorney for the Southern District Of New York released a 23 count indictment charging 3 people with securities fraud, identity theft and computer hacking.  Two of the people have been arrested; the third is still at large.

We have been wondering why they took the information.  It turns out that they used the information to manipulate stock prices and it worked pretty well.  The U.S. Attorney claims that they made hundreds of millions of dollars on the scam.

While up until now, Chase has said that the hackers got into the bank’s systems in July 2014 and were discovered in August 2014, it is now coming out that the hackers were inside the bank’s systems since 2012.

It is also coming out that Chase was not alone. Eight other financial institutions were hacked as well.  All told, 14 companies were breached.

The hackers set up 75 shell companies, banks and brokerages across the globe to filter the illicit money.  The three men used 200 fake identities and had 30 fake passports purporting to be issued by 16 countries, including the U.S.  So much for hack proof passports, I guess.

Prosecutors say that the 3 men’s adventures in hacking date back to 2007.

This is pretty impressive.  Other financial institutions attacked include E-Trade, Scotttrade, TD Ameritrade, Dow Jones, Fidelity Investments and bit coin exchange Coin.mx, among others, although the details of those attacks were not announced.

 

Information for this post came from SC Magazine and Dark Reading.