Sunday, May 31, 2015

My Information Was Hacked

In the mail on Friday I received a letter from a company I do business with that informed me that their site had:
experienced a sophisticated cyberattack that potentially allowed attackers to gain access to a limited portion of your personal information. This letter describes what happened, what we are doing about it and what we thing you should do.
Now in this day and age, with cyberattacks happening essentially on a daily basis, this came as no real surprise. In fact, I would say that not having a cyberattack on some site or company you do business with on the internet would be the exception these days. For awhile there was an announcement about every week of such an attack Target, Home Depot even the IRS.

What has me a little puzzled and concerned is just how long it took this company to find out about the attack. In the letter sent to me (more on that later), it states that in April of this year they dis and "extensive scan" and that unauthorized access took place in June of 2014. So it took almost an entire year for them to discover this. Wow. Why so long?

It means for almost 10 months the hackers had this information and could have been doing all kinds of things with it. And no one knew about it.

The letter goes on to state that the reason it took almost a month to inform people was to perform a comprehensive review of the systems and what was affected. I'm sorry no that's not what should have happened.

What should have happened was people were informed immediately of the hack. That additional steps were being taken to determine the exact nature of the breach. As soon as that was determined, people would be informed about the next steps being taken by this company. That way people could have taken steps on their own to start monitoring their own information.

I also take issue that people were informed about the hack. The only way I received this information was in the letter I got. (It was covered in the media but knowing the company was hacked and knowing your specific account were hacked are two entirely different things.) Now the letter didn't look like it was very important. You could have even taken it as a piece of junk mail and tossed it. In the letter they outlined additional steps I needed to take with the account. I went to the site and made those changes. Was there any message to my account detailing what had happened? No. The letter did provide a web address to go to for frequently asked questions.

They are going to provide for free two years of credit protection. How generous of them. The question on that is that a long enough time. Could not this information be kept somewhere and say used in three or four years? Where's are protection then?

Things like this happen. As I said they are to be expected these days. But of great concern is how long it took this company to discover what happened. And then taking nearly another month to let people know what happened. That is not acceptable.

No comments: