Tech Hack Notification Delays Can Leave Corporate Customers in the Lurch

When a new release of a product is released, it is critical that the product is supported in all of its versions and languages. Our latest research has identified a problem where a new release of a product can be released with a hidden feature that delays notifications over the air of the new release of the product.

This is an idea that has been brewing in my head for a while, and it’s one that I’ve been waiting to have the chance to write about. While most companies take care of their customers, some fail to do the same, leaving their consumers in the lurch. When companies are under the radar, and not properly communicating with their customers, the result can be an angry client—or, even worse, a non-customer.

A healthy business relationship is one in which both parties feel valued and are able to keep growing and adapting. Connecting with your customers is key to growing your business and holding on to loyal customers. However…

Some IT firms are reluctant to disclose specifics about product breaches, leaving consumers exposed to interruptions and unsure how to react when information becomes available.

Policymakers in the United States and Europe are scrutinizing cyberattacks in which hackers target a service provider and then exploit that footing to get access to their customers’ networks. Attacks against software firms SolarWinds Corp., Accellion USA LLC, and Kaseya Ltd. in recent months have shown attackers’ capacity to infect a significant number of businesses and government organizations using the same technological products.

According to legal and security experts, although businesses routinely ask their technology providers to report events that expose their data, many struggle to get information that might help them plan for the possible consequences from a cyberattack on their technology supply chain.

Pete Chronis, chief trust officer in residence at the Cloud Security Alliance, a nonprofit that creates cybersecurity standards and maintains a registry of security audits filed by cloud providers, said, “People want the most accurate concise information as quickly as possible.”

Subscribe to our newsletter

Cybersecurity WSJ Pro

WSJ’s worldwide team of reporters and editors provide cybersecurity news, analysis, and insights.

The risk of keeping customers in the dark about so-called supply-chain attacks is that malware will spread, disrupting their operations and those of their business partners. Details regarding how attackers gained access to a software provider, for example, might help customers recognize unusual behavior and improve security.

However, it can take weeks or months to investigate an attack, and suppliers must balance their customers’ need for information with the intensive work required to understand how the hack happened, said Mr. Chronis, formerly chief information security officer at AT&T Inc.’s WarnerMedia.

Cybersecurity regulations may apply to companies in areas such as vital infrastructure, forcing them to report intrusions to authorities. Many suppliers of vital services, such as electricity, transportation, and healthcare, in the European Union, for example, are required to notify authorities about cyber events that impact their services, depending on how long the assault lasts and how many people are affected.

According to Apostolos Malatras, a cybersecurity specialist at Enisa, the European cybersecurity organization, businesses that are obliged to inform authorities are more likely to report a breach to consumers.

According to Kaseya, a ransomware assault on July 2 impacted approximately 60 of its customers, many of whom are IT service providers with their own clientele. Hackers exploited a flaw in Kaseya’s VSA administrator software to infect the company’s customers with ransomware. VelzArt, a Dutch technology firm that uses Kaseya, claimed the majority of its estimated 500 clients were affected, interrupting their IT operations.

“ You’d be surprised how often that boilerplate around cyber incident notification goes unnoticed. ”

Theresa Payton, CEO of Fortalice Solutions

One of VelzArt’s engineers discovered the assault after seeing that many of its customers’ systems fell down at the same moment. VelzArt staff got to work right away, repairing customers’ machines and restoring service.

On July 11, Kaseya released a patch. When asked how the business interacted with consumers, a representative refused to answer.

According to a research released last month by Enisa, nearly two-thirds of 24 significant supply-chain assaults between January 2020 and July 2021 didn’t know how hackers got into their systems or didn’t disclose that information to consumers.

According to Sebastián Garca, an assistant professor at the Czech Technical University in Prague who contributed to the study, software firms and other suppliers may lack the technical know-how to quickly understand how an attack occurred, or they may not want to notify customers until they are certain about details.

Even technological firms, he claims, do not have complete insight into hackers’ activities. Investigating a hack is “extremely expensive,” he added, since “it requires a lot of human hours and tools to comprehend what’s going on.”


Under President George W. Bush, Theresa Payton served as the White House’s top information officer.


He said that lawyers and communications specialists are often engaged in determining whether a business should reveal a breach, since making information public too soon may be hazardous if the security team hasn’t closed all loopholes that could let attackers back into the network. “I should be fairly confident I’m in charge of the situation if I go public,” he added.

Accellion, a file-sharing software company based in Palo Alto, Calif., announced in a blog post on Jan. 12 that it discovered a vulnerability in its File Transfer Appliance tool in mid-December and issued a patch to “the less than 50 customers affected.” On Feb. 1, the company said it had notified all customers who used the software in December.

According to a study on the assault commissioned by the Reserve Bank of New Zealand, at least one client, the Reserve Bank of New Zealand, didn’t get an update from Accellion until January 6. According to the investigation, Accellion allegedly failed to notify the bank that hackers had infected additional clients using the same malware.

“If given in a timely way, this information is very likely to have substantially impacted critical choices taken by the bank at the time,” the study said.

The central bank’s spokesperson refused to give any more information.

The QIMR Berghofer Medical Research Institute in Brisbane, Australia, claimed it got its first warning from Accellion on Jan. 4, instructing it to install a security patch. The software firm notified the institution on Feb. 2 that its data had been hacked. In a statement released in March, the institution said that hackers gained access to about 620 megabytes of its data.

The institution has “particular provisions regarding data security breach notifications in its contracts with vendors,” according to a spokesperson, and examines suppliers’ security practices before signing contracts.

More from the Wall Street Journal’s Pro Cybersecurity section

Accellion refused to address questions regarding its contacts with customers such as QIMR Berghofer and the Reserve Bank of New Zealand, citing the company’s previous comments about the assault.

When personal data is exposed, most breach-notification rules compel businesses to notify authorities and impacted individuals within a certain time period, but they don’t oblige them to disclose information about how the incident happened.

According to Theresa Payton, president and chief executive of cybersecurity consulting firm Fortalice Solutions LLC and a former White House chief information officer under President Barack Obama, corporate cybersecurity teams can work out contractual bottlenecks and communication problems with technology firms by holding yearly exercises with suppliers to practice how they would be informed about a potential data breach.

Many contracts with suppliers contain wording requiring the supplier to inform their client in the event of a data breach or a service outage, but no language requiring the supplier to notify their customer in the event of other cyberattacks. She said, “You’d be shocked how often basic boilerplate surrounding cyber incident notification is absent.”

Catherine Stupp can be reached at [email protected].

Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

This article broadly covered the following related topics:

  • slack security vulnerability
  • slack vulnerability cve
  • slack data breach 2021
  • slack vulnerability 2021
  • slack security breach 2020
You May Also Like