Unisys data breach, or a study in how not to disclose breaches

MattMofDoom
MattMofDoom

Note: Opinions are my own. I make no representation on behalf of any other entity.

Update: In due fairness to Unisys, and mentioned in a reply from them, I emailed [email protected] rather than [email protected] and hence the bouncing email that I originally referred to. My mistake, there. I have proactively corrected the record below, of my own volition.

So data breaches seem to be all the rage nowadays. They happen. I've stood by without comment on a number, including the Medibank breach that my data seemingly may have been wrapped up in. I've largely respected Medibank's effort towards transparency in that. I do not consider myself to be an expert in cyber security, nor in data breaches, and I'm certainly not in the habit of calling out former employers as a rule. There's still people working at my former employer who I'd like to work with again. But the rule, in this case, seems to need an exception.

Unisys this week disclosed (via email) to former associates (ex-employees) that their data has been affected by a breach, by virtue of being improperly stored in a location accessible to the public. This data was confirmed stolen, according to the email.  And here is where my problem comes in.

The email is a case study in crisis comms, run through PR and legal for the purpose of watering down and de-emphasising the message. "Your data may have been breached" is certainly the most important message. Following on from that ... a statement about how it does not create any material risk, and a distinct and nearly complete lack of next steps or action???

So - let me assure you that Unisys internal security training does not make any distinction between full name, personal email, personal phone numbers, or "more sensitive" personally identifiable information (PII). All of it is bad, and there absolutely is no basis for Unisys to make a determination of what risk it poses to the people exposed. I'm still fuming on that.

More seriously, "contact us if you want to find out if your data was disclosed" is the underlying call to action for the email and attached FAQ. Completely unacceptable. So I replied with what seemed like some reasonable steps that certainly seem to model responses I've seen such as Medibank's comms, as well as some good practices that could help to restore some trust.

Initially I mistakenly asserted that [email protected] was bouncing. That was incorrect and I had been messaging [email protected] without noticing. My bad, and Unisys have also added [email protected] as an email alias - but I remain in disagreement that former associates should need to email to find out if their data (and what) was breached.

There's a clear obligation towards the various jurisdictions in which Unisys operate their business, to their customers, and to the people whose data was exposed - regardless of how "minor" Unisys consider this to be. I still maintain that the reasonable steps in my original reply should be taken to restore some level of trust. 

Disclaimer: The email reproduced below contains information that was sent to external recipients (including myself) by Unisys who I am no longer associated with. The confidentiality of this information relates to the disclosure of personal data - and very likely my own based on context - which should reasonably be considered appropriate for the recipient(s) to disclose and express opinions about. I do not have any further information or details on the the breach beyond what has been communicated. It is unlikely that the disclaimer at the end of this email trail applies to my post, but I would clarify that this post is entirely personal opinion.

(Note - Incorrect replies re bounce removed, in fairness to Unisys)

From: Matt
Sent: Thursday, 3 November 2022 13:42
To: ~Mat Newfield, Chief Information Officer <[email protected]>; [email protected] <[email protected]>
Subject: Re: Incident Notice

Hi,

As you should be well aware, data such as full name, personal phone, and personal email are PII and absolutely do create material risk of identity theft and fraud by virtue of being personally identifiable information. At best, it is disingenuous to suggest otherwise, and "you should be vigilant against phishing" is not enough. Equally - it is not on associates to contact you to find out, you must notify affected parties and disclose the specific data that was contained in their record. "We do not believe" is filled with good intentions and it's not up to you to decide if this could harm someone.

So - since you have not set out clear next steps, allow me to strongly suggest some:

  1. Proactively contact each former associate whose data was contained in the unprotected location and disclose specifically what data was stolen
  2. Offer appropriate protection to those associates, such as 12 months of credit monitoring
  3. Advise all former associates how their data is retained, used, and disposed, and any changes that you will make to this going forward
  4. Advise all former associates which jurisdictions have been notified under either mandatory or voluntary data breach notification schemes

Please note that I deeply understand that data breaches can happen, but I am concerned with your approach and reaching out to offer you the opportunity to correct it.

Thanks,

Matt

From: ~Mat Newfield, Chief Information Officer
Sent: Thursday, November 03, 2022 10:33
Subject: Incident Notice

 

A Message from Katie Ebrahimi, Chief Human Resources Officer and Mat Newfield, Chief Information Officer

Incident Notice

November 3, 2022

 

We want you to be aware of a recent incident that involved contact and other business information relating to you. We take the protection of personal information very seriously and very much regret that this incident happened.

 

What Happened. Unisys determined that certain business contact and other general business information for former Unisys associates relating to their prior employment with Unisys that was contained in an internal storage location was stolen by an unknown third party. This storage location was misconfigured and inadvertently open to the public. Based on the investigation to date, we have identified neither any compromise of our broader environment or data nor other indication of any malicious activity in connection with this incident.

 

What Information Was Involved. The impacted data included certain business contact and other general information for former Unisys associates, such as names, email addresses, phone numbers, corporate departments, position titles, manager information, company identification numbers, office location and time zone information. The information also included personal email and/or phone number if that information was provided to Unisys. Based on our investigation to date, we do not believe that the impacted data contained sensitive personal information, such as social security numbers, government IDs, financial account information, employee files, health information or similar more sensitive personal information.

What We Are Doing. We began investigating the incident as soon as we became aware of it. We removed public access from the storage location. Unisys has not detected any signs of an external or internal compromise of the Unisys environment or other malicious activity.

What You Can Do. We do not believe the contact and other general business information involved in this incident create any material additional risk of identity theft or fraud. However, you should always remain vigilant, including against potential phishing.

Further Information. Please see the attached FAQs about the incident. If you have additional questions, please contact Unisys at [email protected].

Katie Ebrahimi
Chief Human Resources Officer  

Mat Newfield
Chief Information Officer  

 

This communication is for internal use only. It may contain confidential and/or otherwise proprietary material and is thus for use only by the intended recipient. This communication should not be forwarded or otherwise disclosed outside of Unisys. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

Comments

You may also like:

Ingesting database queries as logs in Seq using Seq.Input.MSSQL!

Among a bunch of stars in the Seq ecosystem, Seq.Input.MSSQL has to be one of the most ambitious and coolest. This Seq input app allows you to turn just about anything with a timestamp in a SQL database into Seq logs - which in turn can power your monitoring and...