Note: Opinions are my own. I make no representation on behalf of any other entity.
Update: In due fairness to Unisys, and mentioned in a reply from them, I emailed [email protected] rather than [email protected] and hence the bouncing email that I originally referred to. My mistake, there. I have proactively corrected the record below, of my own volition.
So data breaches seem to be all the rage nowadays. They happen. I've stood by without comment on a number, including the Medibank breach that my data seemingly may have been wrapped up in. I've largely respected Medibank's effort towards transparency in that. I do not consider myself to be an expert in cyber security, nor in data breaches, and I'm certainly not in the habit of calling out former employers as a rule. There's still people working at my former employer who I'd like to work with again. But the rule, in this case, seems to need an exception.
Unisys this week disclosed (via email) to former associates (ex-employees) that their data has been affected by a breach, by virtue of being improperly stored in a location accessible to the public. This data was confirmed stolen, according to the email. And here is where my problem comes in.
The email is a case study in crisis comms, run through PR and legal for the purpose of watering down and de-emphasising the message. "Your data may have been breached" is certainly the most important message. Following on from that ... a statement about how it does not create any material risk, and a distinct and nearly complete lack of next steps or action???
So - let me assure you that Unisys internal security training does not make any distinction between full name, personal email, personal phone numbers, or "more sensitive" personally identifiable information (PII). All of it is bad, and there absolutely is no basis for Unisys to make a determination of what risk it poses to the people exposed. I'm still fuming on that.
More seriously, "contact us if you want to find out if your data was disclosed" is the underlying call to action for the email and attached FAQ. Completely unacceptable. So I replied with what seemed like some reasonable steps that certainly seem to model responses I've seen such as Medibank's comms, as well as some good practices that could help to restore some trust.
Initially I mistakenly asserted that [email protected] was bouncing. That was incorrect and I had been messaging [email protected] without noticing. My bad, and Unisys have also added [email protected] as an email alias - but I remain in disagreement that former associates should need to email to find out if their data (and what) was breached.
There's a clear obligation towards the various jurisdictions in which Unisys operate their business, to their customers, and to the people whose data was exposed - regardless of how "minor" Unisys consider this to be. I still maintain that the reasonable steps in my original reply should be taken to restore some level of trust.
Disclaimer: The email reproduced below contains information that was sent to external recipients (including myself) by Unisys who I am no longer associated with. The confidentiality of this information relates to the disclosure of personal data - and very likely my own based on context - which should reasonably be considered appropriate for the recipient(s) to disclose and express opinions about. I do not have any further information or details on the the breach beyond what has been communicated. It is unlikely that the disclaimer at the end of this email trail applies to my post, but I would clarify that this post is entirely personal opinion.
(Note - Incorrect replies re bounce removed, in fairness to Unisys)
As you should be well aware, data such as full name, personal phone, and personal email are PII and absolutely do create material risk of identity theft and fraud by virtue of being personally identifiable information. At best, it is disingenuous to suggest otherwise, and "you should be vigilant against phishing" is not enough. Equally - it is not on associates to contact you to find out, you must notify affected parties and disclose the specific data that was contained in their record. "We do not believe" is filled with good intentions and it's not up to you to decide if this could harm someone.
So - since you have not set out clear next steps, allow me to strongly suggest some:
- Proactively contact each former associate whose data was contained in the unprotected location and disclose specifically what data was stolen
- Offer appropriate protection to those associates, such as 12 months of credit monitoring
- Advise all former associates how their data is retained, used, and disposed, and any changes that you will make to this going forward
- Advise all former associates which jurisdictions have been notified under either mandatory or voluntary data breach notification schemes
Please note that I deeply understand that data breaches can happen, but I am concerned with your approach and reaching out to offer you the opportunity to correct it.
From: ~Mat Newfield, Chief Information Officer
Sent: Thursday, November 03, 2022 10:33
Subject: Incident Notice