Music subscription site Spotify made a surprising announcement recently when the company announced that a hacker had broken through their security protocols and gained access to private information that had been submitted by its users.
Unlike recent data breaches with major companies like Target and eBay, Spotify stated that it had confirmed some positive news: no financial or sensitive personally identifiable information like Social Security numbers had been obtained.
That wasn’t the only good news, of course. Again, unlike cybertheft events like the one involving eBay in which about 145 million users’ names, addresses, emails, passwords, and PayPal connections may have accessed for criminal purposes, the damage in Spotify’s case is thought to be far less widespread.
Yes, the tech leaders at Spotify believe that their recent cyber attack involved one individual, and that this individual’s sensitive information wasn’t accessed at all.
If that’s the case, why inform people in the first place? If one person had his account hacked and all the would-be thieves got for their trouble was his user name and maybe an email address, why go to the trouble of issuing a statement at all?
The first answer is accountability. eBay is still reeling from the poor criticism and bad press associated with their attempts at not being very forthcoming about their data breach. The site posted a minor news blurb on their corporate site, a site which a tiny percentage of their users look at, and even then tried to downplay the seriousness of the issue by simply telling users it would be a good idea to change their passwords.
The second reason, though, may have more to do with the confidence the company places in its technical security. When a hacking event occurs and is overwhelmingly unsuccessful, companies have a choice to make. Do they tell people and possibly alarm them, all while inviting copycat hackers to see if they can do a better job? Or do they quietly hush it up and sweep it under the rug?
Hopefully, companies who want to keep their consumers’ trust will choose the first one. Even if the event is minimal and barely requires sending out an email about the breach, it’s important that the companies we trust with our secure information let us know when something goes wrong. The only way consumers can protect themselves after the fact is by following up with the three credit reporting agencies, and by changing and resecuring any passwords. Without the knowledge to begin those processes, thieves can continue to benefit from your data until such a time as you discover the problem.
If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign. For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.