Covering Data Breaches in an Ethical WayHow Do We Avoid Data Dump Voyeurism and Victim Shaming?
Data breaches are tricky to cover, and we want to report on them in an ethical way. That requires picking what should be reported for informed public discourse but avoiding topics that may encourage attackers' efforts to shame victims into paying a ransom and anything resembling data dump voyeurism.
Australia has been hit with a series of devastating data breaches. It started in September with Optus, a large telecommunications company that exposed its customer database to the internet via an application programming interface that didn't require authentication (see: Optus Attacker Halts AU$1.5 Million Extortion Attempt).
How do we sensitively cover ransomware and extortion but still inform the public? How do we avoid giving the attackers attention they crave?
A couple of weeks later, one of the nation's largest health insurers, Medibank, began disclosing increasingly grim news about a security incident. A ransomware group gained access to 9.7 million records of current and former customers. The data, which the attackers have been releasing in order to coax Medibank into paying a ransom, includes medical codes related to procedures or conditions (see: Medibank Says No to Paying Hacker's Extortion Demand).
Medibank and the Australian government have asked the media not to unnecessarily download the data or to directly contact customers. The data breach wave in Australia has posed questions about how mainstream journalists unfamiliar with the arcane world of data breaches and cybersecurity should approach coverage. These are some of the perspectives I keep in mind as a journalist when covering sensitive data breaches.
Ransomware and extortion groups usually publicly release stolen data if a victim doesn't pay. In many cases, the victim organization hasn't publicly acknowledged it has been attacked. Should we write or tweet about that?
I now generally avoid publicizing victims that haven't acknowledged an incident. These are victims of crime, and not every organization handles these situations well, but the media can make it worse.
Are there exceptions to this rule? Sure. If an organization hasn't acknowledged an incident but numerous media outlets have published pieces, then the incident could be considered public enough. But many people tweet or write stories about victims as soon as their data appears on a leak site. I think that is unfair and plays into the attackers' hands, increasing pressure on victims.
Covering Cybercrime Sensitively
Using leaked personal details to contact people affected by a data breach is a touchy area. I only do this in very limited circumstances. I did it with one person in the Optus breach. The reason was at that point there were doubts about if the data had originated with Optus. The person also lived down the road from me, so I could talk to them in person (see: Optus Under $1 Million Extortion Threat in Data Breach).
Once I was satisfied the data belonged to Optus, I didn't contact anyone else. For me, using leaked details to contact people to see how they feel about their details being leaked is a no-no. It's a terrible invasion of privacy.
With Medibank, contacting victims was unnecessary for verification purposes since Medibank has confirmed and continues to confirm in unprecedented detail the data as the ransomware gang continues to publicly dump it. For reaction stories, it's easy to find people affected by breaches on social media.
Another perspective is the influence that media coverage can have related to ongoing criminal acts. The ransomware group that struck Medibank has been closely watching events in Australia, including what journalists are writing and what government officials are saying.
Several years ago, I covered an extortion group called The Dark Overlord. The attackers grew to very much enjoy their media coverage, and it became clear a line had to be drawn over what to cover and how much attention to give them (see: 'The Dark Overlord' Advertises Stolen Source Code).
When the Optus data breach happened, I contacted the attacker. I wanted to find out how the attack was executed. This was an important and unresolved question at the time for our information security readership. I had a few other small questions, but after I got my answers, I stayed out of the situation since it was an ongoing crime.
In the case of Medibank, the attackers are periodically releasing sensitive data. Do we need to cover every file that gets released? Home Affairs and Cyber Security Minister Clare O'Neil recently said the group could leak data for weeks or months.
How do we cover ransomware and extortion sensitively but still inform the public? How do we avoid giving the attackers attention they crave?
I don't want to come across as if I have the best answers. I've definitely made wrong decisions in the past covering this field, too. It's important to pause and recognize the sensitivities around covering cybercrime.