With the disclosure of 21 million individuals’ account information being accessed in a data breach at Timehop, we now have a blueprint for what public disclosure of a breach might look like under the new GDPR rules. In their disclosure, Timehop stated that on July 4, malicious actors gained access to account information for 21 million of its users. This account information included names, email addresses, phone numbers, and access tokens.
Guidance for protection
Timehop provided guidance for how users could protect their phone numbers from malicious activity and a detailed description of the impact on user experience. For many users, this will likely be their first experience with the phrase “access token,” and the Timehop team explained in reasonable detail that these tokens were used to access the social media accounts users had imported into the Timehop application. In an effort to ensure the malicious actors gained as little as possible from their actions, Timehop invalidated the tokens, which now requires affected users to reauthenticate Timehop for their social media accounts. Timehop is to be commended for their transparency in this disclosure and the clarity of their response.
Looking under the covers, we see a classic infiltration model with lessons we can learn from. Timehop disclosed that in December the credentials for an administrative user were compromised. That account was then used multiple times over a six-month period, during which time malicious actors were able to access and determine what assets were best to compromise. It appears they ultimately decided that extracting the user database during a major holiday in the United States was the correct opportunity. The net result was a data exfiltration event lasting over two hours on the Fourth of July. Part of Timehop’s response was to enable multifactor authentication for administrative users, but their internal response will likely have many areas of investigation.
How accessible should personal data be?
One of the more obvious questions involves the accessibility of the personal data. Nominally, this type of information should first be collected only if required, but it should also be encrypted. Based on Timehop’s commentary, it appears that the attackers had access to personal data. This would imply a lack of encryption or weak encryption, or indicate that in addition to obtaining a data store, the attackers also accessed encryption keys. The second, and to my mind more important, takeaway for everyone is that perimeter defenses, like firewalls, do nothing to prevent an attack from within.
Whenever the security state of an application is assessed, the threat models need to account for how the application is deployed and who has access over private channels. Lastly, Timehop is likely looking for evidence of any command and control structures the attackers may have installed. With six months of access, the malicious reconnaissance activities may have reconfigured systems in ways making them less secure.
In the end, the level of transparency provided by Timehop gives us all a working template for responsible disclosure in the age of GDPR.