Evernote data breach: lessons to be learned

A month on, Davey Winder analyses what others can learn from the Evernote data breach...

At the start of March some 50 million people received an email informing them that an online note taking and data archiving service they used had been hacked, and a password reset was required.

The way that the company concerned handled the disclosure of this information was interesting as it displayed a mixture of calm professionalism and schoolboy error.

Advertisement - Article continues below

We have mandatory fire drills. It is about time we have mandatory internet security drills. Make as many mistakes as you can in practice so that when it is game day, you can play like a pro.

What happened?

In many ways the Evernote data breach was little different to the plethora of incidents involving hackers gaining access to member data. Although we are still waiting for the forensic detail of the attack vector itself to be forthcoming, I wouldn't be at all surprised if it turned out to be the work of the same criminal hacking group based in Eastern Europe that has successfully attacked Apple, Facebook and Twitter in recent weeks.

The target being any data that holds a value on the underground online 'dark market' such as intellectual property, research material and, yes, email addresses and associated service passwords. We know that the Apple attack involved a Java browser plug-in vulnerability being exploited on some of its employees' desktops. We also know that the Facebook breach followed employees accessing a 'developer site' which suggests a similar use of a Java zero-day. Although China has been blamed by some, it seems unlikely that state-sponsored hackers would be involved in such blatant criminal activity rather than politically motivated hacktivity. Instead, the finger of suspicion points towards Eastern Europe where cyber-criminality is rife. And really advanced.

Advertisement - Article continues below
Advertisement - Article continues below

What we do know from the email that was sent out is that Evernote's Operations and Security team discovered and subsequently blocked "suspicious activity on the Evernote network" that appears to have been "a coordinated attempt to access secure areas" of the service. We also know that while there is no evidence emerging that any payment information or user content was accessed, user information certainly was breached. Evernote admits that the information accessed included "usernames, email addresses associated with Evernote accounts, and encrypted passwords" although it points out that the passwords were hashed and salted.

The however and whoever of the breach are by the by; if you are not clued up on how to best protect your enterprise against attack, you only have to scan the pages of IT Pro for plenty of pertinent advice from those who are.

No, what's really interesting here is the 'what happened next' process. And what happened next was a quite schizophrenic breach disclosure statement that simultaneously offered good advice while also ignoring it. It provided clarity but also obfuscation, and risked compounding reputational damage in equal measure to protecting the brand.

So what went right, and what went wrong in terms of handling that disclosure. And, perhaps most importantly, what are the lessons that can be learned?

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now

Most Popular

Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020

Nokia breaks 5G record with speeds nearing 5Gbps

20 May 2020
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020