Attacks Using Attacks

Not too long ago I wrote about a security failure from an AI company, Evisort, that had a development database exposed on the Internet. There were reports of customer information being exposed and initially it appeared the Evisort was being negligent by putting an  ElasticSearch database with no password on the Internet. They were, but this might not have been a problem for customers.

In an update, Evisorts dispute any customer data was exposed and they’ve updated security. They’ve hired consultants to help them and they are investigating and reviewing all documents that were exposed. They’ve offered to talk with any customers, and it appears they are taking this event seriously.

So, was there really a breach? I don’t know. I have no firsthand knowledge of the actual data, and I haven’t seen anything that indicates Evisort is covering up data loss. Perhaps they are, but perhaps someone was just seeking to imply there was a breach. Doing so is an attack on Evisort, not with data, but with information.

This might have been sent to a reporter to cause Evisort issues. Perhaps the issue was publicized to win a deal for a competitor that was near completion by making Evisort appear negligent. Perhaps this was an attempt to prevent Evisort from getting any more funding or reduce the value of the company.

There are all sorts of attacks that occur on companies. Some of these are to get data to sell. Some might be to create bad press. Some might be to influence the value of the company or perhaps cost them customers. The attacks are often aimed to accomplish some secondary goal: reduce share price, interrupt funding, influence customers to stop doing business, or even to make competitors look more valuable or desirable.

These are attacks on a company using some sort of other attack, like a hack of some sort.

The world is becoming more and more scary for data professionals. We have to be increasingly diligent, and not only be able to protect data, but prove we are protecting it. With the swift and strong reaction of many in social media, it behooves us to take extra precautions and ensure we have evidence of our taking precautions ready to dispute any misleading account. More importantly, we ought to know how to react if we do actually lose data. Think about this ahead of time, as you might not have time to so once an event actually occurs.

Steve Jones

Listen to the podcast at Libsyn, Stitcher or iTunes.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged . Bookmark the permalink.