In-depth

Evernote data breach: lessons to be learned

A month on, Davey Winder analyses what others can learn from the Evernote data breach...

At the start of March some 50 million people received an email informing them that an online note taking and data archiving service they used had been hacked, and a password reset was required.

The way that the company concerned handled the disclosure of this information was interesting as it displayed a mixture of calm professionalism and schoolboy error.

We have mandatory fire drills. It is about time we have mandatory internet security drills. Make as many mistakes as you can in practice so that when it is game day, you can play like a pro.

What happened?

In many ways the Evernote data breach was little different to the plethora of incidents involving hackers gaining access to member data. Although we are still waiting for the forensic detail of the attack vector itself to be forthcoming, I wouldn't be at all surprised if it turned out to be the work of the same criminal hacking group based in Eastern Europe that has successfully attacked Apple, Facebook and Twitter in recent weeks.

The target being any data that holds a value on the underground online 'dark market' such as intellectual property, research material and, yes, email addresses and associated service passwords. We know that the Apple attack involved a Java browser plug-in vulnerability being exploited on some of its employees' desktops. We also know that the Facebook breach followed employees accessing a 'developer site' which suggests a similar use of a Java zero-day. Although China has been blamed by some, it seems unlikely that state-sponsored hackers would be involved in such blatant criminal activity rather than politically motivated hacktivity. Instead, the finger of suspicion points towards Eastern Europe where cyber-criminality is rife. And really advanced.

What we do know from the email that was sent out is that Evernote's Operations and Security team discovered and subsequently blocked "suspicious activity on the Evernote network" that appears to have been "a coordinated attempt to access secure areas" of the service. We also know that while there is no evidence emerging that any payment information or user content was accessed, user information certainly was breached. Evernote admits that the information accessed included "usernames, email addresses associated with Evernote accounts, and encrypted passwords" although it points out that the passwords were hashed and salted.

The however and whoever of the breach are by the by; if you are not clued up on how to best protect your enterprise against attack, you only have to scan the pages of IT Pro for plenty of pertinent advice from those who are.

No, what's really interesting here is the 'what happened next' process. And what happened next was a quite schizophrenic breach disclosure statement that simultaneously offered good advice while also ignoring it. It provided clarity but also obfuscation, and risked compounding reputational damage in equal measure to protecting the brand.

So what went right, and what went wrong in terms of handling that disclosure. And, perhaps most importantly, what are the lessons that can be learned?

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Indiana notifies 750,000 after COVID-19 tracing data accessed
data breaches

Indiana notifies 750,000 after COVID-19 tracing data accessed

18 Aug 2021
Pearson fined $1 million for downplaying severity of 2018 breach
data breaches

Pearson fined $1 million for downplaying severity of 2018 breach

17 Aug 2021
“Great resignation” sparks concern over insider data leaks
data protection

“Great resignation” sparks concern over insider data leaks

13 Aug 2021
Data breach exposes millions of seniors' data
big data

Data breach exposes millions of seniors' data

9 Aug 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021