Evernote data breach: lessons to be learned

Data breach

At the start of March some 50 million people received an email informing them that an online note taking and data archiving service they used had been hacked, and a password reset was required.

The way that the company concerned handled the disclosure of this information was interesting as it displayed a mixture of calm professionalism and schoolboy error.

We have mandatory fire drills. It is about time we have mandatory internet security drills. Make as many mistakes as you can in practice so that when it is game day, you can play like a pro.

What happened?

In many ways the Evernote data breach was little different to the plethora of incidents involving hackers gaining access to member data. Although we are still waiting for the forensic detail of the attack vector itself to be forthcoming, I wouldn't be at all surprised if it turned out to be the work of the same criminal hacking group based in Eastern Europe that has successfully attacked Apple, Facebook and Twitter in recent weeks.

The target being any data that holds a value on the underground online 'dark market' such as intellectual property, research material and, yes, email addresses and associated service passwords. We know that the Apple attack involved a Java browser plug-in vulnerability being exploited on some of its employees' desktops. We also know that the Facebook breach followed employees accessing a 'developer site' which suggests a similar use of a Java zero-day. Although China has been blamed by some, it seems unlikely that state-sponsored hackers would be involved in such blatant criminal activity rather than politically motivated hacktivity. Instead, the finger of suspicion points towards Eastern Europe where cyber-criminality is rife. And really advanced.

What we do know from the email that was sent out is that Evernote's Operations and Security team discovered and subsequently blocked "suspicious activity on the Evernote network" that appears to have been "a coordinated attempt to access secure areas" of the service. We also know that while there is no evidence emerging that any payment information or user content was accessed, user information certainly was breached. Evernote admits that the information accessed included "usernames, email addresses associated with Evernote accounts, and encrypted passwords" although it points out that the passwords were hashed and salted.

The however and whoever of the breach are by the by; if you are not clued up on how to best protect your enterprise against attack, you only have to scan the pages of IT Pro for plenty of pertinent advice from those who are.

No, what's really interesting here is the 'what happened next' process. And what happened next was a quite schizophrenic breach disclosure statement that simultaneously offered good advice while also ignoring it. It provided clarity but also obfuscation, and risked compounding reputational damage in equal measure to protecting the brand.

So what went right, and what went wrong in terms of handling that disclosure. And, perhaps most importantly, what are the lessons that can be learned?

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.