Key Takeaways from TechCrunch’s List of Badly Handled Data Breaches in 2022

TechCrunch recently released its list of the most badly handled data breaches in 2022. Surprisingly Australia’s biggest data breaches to date – the Optus and Medibank breaches – didn’t make the list … perhaps because their impact was largely limited to Australians. 

However, there are some doozies on the list! 

But before we delve into the bad, we’d like to reflect on the good. TechCrunch pointed out that the Red Cross and Amnesty were shining examples of how to handle a data breach. You can read our coverage of an earlier Red Cross data breach and see our notes on how they leveraged transparency in the wake of the breach.  

Which Companies Made TechCrunch’s Badly Handled Data Breaches 2022? 

TechCrunch’s list of 2022’s badly handled breaches comprised: 

• Nvidia 
• DoorDash 
• Samsung 
• Revolut 
• Advanced (An NHS Supplier) 
• Twilio 
• Rackspace 
• LastPass.  

We won’t examine the details of each, and more details are included in the article. 

But there are some key themes that emerge from the list of Badly Handled Data Breaches in 2022. 

Lack of Transparency: A Key Theme Amongst the Named Breaches 

A lack of transparency by organisations that have experienced a breach is a key theme amongst those named in TechCrunch’s list of badly handled breaches. (The article’s full title gives this away – It’s all in the (lack of) details: 2022’s badly handled breaches.)  

How to leverage transparency to avoid being named on TechCrunch’s 2023 list:  

• Share details about how many individuals have been affected and what data has been taken as soon as possible. It’s important to not play down the severity of the breach – like Samsung did when they outlined that ‘demographic’ data may have been taken, when it’s likely that precise geolocation data was taken.  
• Publish information about what your organisation is doing to protect your data subjects.  

“Rackspace received widespread criticism over its response for saying little about the incident or its efforts to restore the data.” 

• Give people who’ve been affected really clear, practical guidance on what they should do. A lot of confusion and distress is caused by uncertainty, not just about the data that might have been involved and how it could be misused but also about what people should do next.  Knowing that something bad could potentially happen but not knowing what to do to protect yourself will only increase individual anxiety and concern. Think about individuals who might be involved, and develop a communication and support strategy with them in mind. If you are going to offer support – like credit checking services – make sure that those have been established and that you’re able to provide clear, easy-to-understand guidance on how those services can be accessed. 
• And don’t drop a new privacy policy that waters down your user’s rights around the time you disclose a breach – definitely don’t publish it on the day of disclosure. 

(At Least Appear To) Put Your Customers First Following a Breach: The Second Key Takeaway 

Several of the companies named in TechCrunch’s list also failed to even give the appearance of putting their customers first.  

Samsung, for instance, chose the day they disclosed a data breach to introduce a mandatory new privacy policy that allows Samsung to use its user’s precise geolocation data to provide advertising and marketing.  

Meanwhile, LastPass has told its customers that they don’t need to take any action – despite malicious actors likely having access to the ‘master passwords’ that provide access to their encrypted password vaults.  

Some Additional Notes From the Poorly Handled Optus Breach

We covered separately how the Optus data breach communications strategy was problematic – perhaps adding to the national concern arising from the event.  Three lessons from that data breach included: 

• Be certain of your facts.  Is it really a sophisticated cyber attack or an opportunistic exploitation of an internal fail? Changing your description of what’s happened erodes trust and can heighten anxiety and concern – as well as pique the interest of regulators. 
• Co-operate with the government and regulator.  In the Optus data breach, the government noted that, while Optus stated that it had alerted the 10,000 users whose information was published online via text and email, this response was simply not sufficient.  The expectation was that people would be notified more quickly, in a more uniform way and provided with all of the information they needed to work out how to best protect themselves from further harm.  
• Keep communications clear and simple. Again, information about what to do was released in a piece-meal way, often scattered between commentary on the strength of the Optus cybersecurity measures in place. 

More on the Optus data breach communications strategy here. 

Finally, It’s Important to Adopt Stronger Security Measures in the Wake of a Breach 

Many of the data breaches outlined in the TechCrunch article referred to multiple intrusions within the same year – often by the same malicious actor(s).  

Key security takeaways from the article include:  

• Respond swiftly if you know your employee’s credentials have been compromised. It’s a good idea to have multi-factor authentication on too, to limit the impact of compromised credentials.

LastPass knew that customers’ encrypted password vaults could have been stolen…after the company confirmed its cloud storage was accessed using a set of employee’s cloud storage keys stolen during an earlier breach in August but which the company hadn’t revoked.” 

• Implement customer segmentation and strict access controls if you store all your customer data in one online location (a common practice).  
• Multi-factor authentication is becoming a no-brainer, especially for privileged accounts; 
• Try not to real data as test data. There are lots of alternatives available.  If it is required, then manage the test data as a priority. Don’t forget about it and continue to monitor any access, until the database is deleted or de-identified. 

Privacy 108’s Data Breach Management Consulting

Privacy 108 has a team of security experts who can help establish or improve your data breach preparedness capability and ensure your team is equipped to respond quickly and effectively to a data breach. 

Breaches in security can happen and, as outlined above, it’s often the way that a breach is handled that has the most long-term impact, rather than the breach itself. 

Wherever you are on your data breach path, we can provide the advice, support, implementation, improvement, and testing assistance you need. 

Our data breach management services include: 

• Developing an information security incident response capability; 
• Preparing a data breach response plan; 
• Testing and training staff in your incident response; 
• Participating as legal advisers and/or privacy experts as part of your data breach/incident response team; 
• Keeping you up-to-date with new or changing data breach notification obligations; 
• Providing a legal opinion on your data breach notification obligations; and
• Participating in or leading the post-incident review process. 

Our team of lawyers and security experts can support you through any organisational data breach with a view to resolving it as quickly as possible, while ensuring that any damage or loss to both affected individuals and your organisation is minimised. 

If you need assistance developing your organisation’s data breach management program, reach out. Our experienced team would love to help.