You can’t depend on outside organizations to keep you in the loop
Reuters has revealed that Microsoft failed to inform over 1,000 Hotmail users that their accounts had been compromised, likely by the Chinese government. Further compounding the situation is the fact that many of the accounts belonged to leaders of China’s Tibetan and Uihhur minority groups, both of which have a relationship with the mainstream government that can be described as rocky at best.
The first public signal of the attacks came in May 2011, though no direct link was immediately made with the Chinese authorities. That’s when security firm Trend Micro Inc announced it had found an email sent to someone in Taiwan that contained a miniature computer program.
The program took advantage of a previously undetected flaw in Microsoft’s own web pages to direct Hotmail and other free Microsoft email services to secretly forward copies of all of a recipient’s incoming mail to an account controlled by the attacker.
Trend Micro found more than a thousand victims, and Microsoft patched the vulnerability before the security company announced its findings publicly.
Although the above quote, from a Reuters article by Joseph Menn, describes how the attacks were discovered, it doesn’t explain why Microsoft chose to go with an unexplained forced password reset rather than informing those affected that their accounts were compromised. Especially given the obvious political ramifications of this specific situation. If you’re familiar with computers you know any serious attacker would have already dug themselves into the systems behind as many accounts as possible, and thus could have easily maintained access after a simple password change. Meaning, essentially, that Microsoft left these users high and dry.
What’s the lesson here? Don’t count on disclosure. Microsoft isn’t the only company that’s reluctant to share information from time to time. You, and you alone, are responsible for keeping your systems safe and secure. Whether it’s your smartphone, personal PC, or the company network, being proactive in detecting and defending against cyber attacks should be a constant concern.
——————————-
For more resources, see the Free Management Library topic: Crisis Management
——————————-
[Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is vice president for the firm, and also editor of its newsletter, Crisis Manager]
– See more at: https://management.org/blogs/crisis-management/2016/01/09/chipotles-fall-from-grace-continues/#sthash.JkjqI1if.dpuf