Companies Need to Stop Hiding Their Cybersecurity Failures

The Epik hack

September 15, 2021

So I recently got this email from Epik, the domain name hosting provider I use:

At Epik, we take security and the privacy of your information very seriously. Therefore as a precautionary measure, I am writing to inform you of an alleged security incident involving Epik.

Our internal team, working with external experts, have been working diligently to address the situation. We are taking proactive steps to resolve the issue. We will update you on our progress. In the meantime please let us know if you detect any unusual account activity. I am proud of our team’s efforts as we do our part to empower a thriving internet for the benefit of our customers around the world.

You are in our prayers today. We are grateful for your support and prayer. When situations arise where individuals might not have honorable intentions, I pray for them. I believe that what the enemy intends for evil, God invariably transforms into good.

Blessings to you all.

Rob Monster
Founder and CEO
Epik Holdings Inc

When I first read the email I didn't think much of it (although at first I thought it was from Vultr and I panicked a bit) and I just went about my day. Then I saw this video and realized there was a lot that Epik didn't tell me.

Apparently Epik got hacked by somebody claiming to be the hacktivist group Anonymous and they leaked ten years worth of the company's records including all purchases made through Epik and the emails and passwords of all of the people with an account with Epik, and not only that they managed to get a hold of the home and rood directories of one of Epik's servers (which they also leaked) and they even had enough access to post a fake update on Epik's website. To sum everything up this is was something quite a bit more serious than "an alleged security incident" this was a complete and utter failure on the part of Epik since they didn't even make things difficult for the hackers.

A few months ago Facebook was hacked and the personal data of over 500 million people was leaked (including things like addresses, phone numbers, emails, and employers). At the time I was quite tempted to download the data myself so that I could check and see if any of my data had been compromised and to check to see if any of my friends or family (especially those who may be more susceptible to scams) had also been compromised. This time I'd quite like to download the data because I know that they have data about me on there and I'd like to know exactly what the hackers know about me so that I can better guard myself against any sort of scams or other shenanigans that may come my way.

I never did download the leaked Facebook data and while I'd love to have access to the Epik data thats been leaked about me I don't have 170 gigs extra of hard drive space lying around that can be used for that purpose. But more importantly I haven't done that because by doing so I'd be stepping into a bit of a legal grey area. Of course stealing data is illegal but what are the laws regarding taking leaked data, as far as I know there is nothing illegal contained in either of these leaks, as far as I know it is not illegal to look through leaked data but I'm not really all that sure about that. And then of course how much are we actually willing to trust criminals when it comes to this leaked data? These criminals say that they don't have anything illegal in their leaks but remember these are masked criminals, you can never fully trust someone who doesn't give you their real name.

Really the issue I have with this is that there is no safe way of knowing if any data about me or those I love is contained in leaks of all sorts, and if so exactly what that data is. Today's failure from Epik is just one of many examples of companies failing to protect their customers' data. This can happen to any company or piece of software, if you've ever read the change log to a program after it updates you'll realize that it almost always says something like "security improvements," instead of "we patched the hole that allowed hackers to easily steal all of your banking information," when the latter of those two statements is more representative of what they actually did. And when important data is leaked like this the company has a responsibility to tell its customers exactly what happened. Several months ago my university was hacked and their systems were down for the better part of a week, preventing students and teachers from accessing assignments, the school never told us they were hacked (although it was obvious), I only became sure of it because I had connections to the people who worked in IT, all the school did was make us change our passwords a month after it happened.

Anyways I'm starting to ramble so I better wrap things up. All companies and government agencies that handle any sort of customer or citizen data should be legally required to undergo a cybersecurity audit annually and have the results of that audit made accessible to the people who would want to know (although a background check would probably be necessary to obtain that information since we wouldn't want to give hackers a free list of vulnerable websites). Companies and government agencies should also be legally required to tell their customers when their systems are breached and if any data is leaked they should tell their customers exactly what was leaked and if they fail to do this customers should have the right to download and look through the leaked data themselves, because while things like do exist they don't provide nearly enough data to people whose data has been leaked and when it comes to dealing with the potential scams and blackmail that may come after the wrong people have gotten ahold of your data it is important for you to know exactly what these people have and exactly where they got it from.