After the EU’s General Data Protection Regulation went into effect at the end of May, the question for many companies and security personnel was how the new rules would work in practice. A first glimpse came in July, when a data breach made Timehop, the creator of an eponymous app that resurfaces old photos and social media posts, the first known U.S.-based company to disclose under GDPR guidelines.
On July 9, the company revealed that on July 4 malicious actors gained access to account information for its entire 21 million-user base. The hacked information contained names, email addresses, phone numbers and access tokens to social media sites. After further investigation, Timehop disclosed that users’ date of birth and gender were also part of the data obtained by the malicious actor.
The company’s response to the breach offers a clear model for how breach notification under GDPR Articles 33 and 34 could be made.
Understanding the GDPR Context
As defined in GDPR Article 4, Timehop was operating both as a “controller” and a “processor” of personal data. In other words, it was Timehop that decided to collect personal information and store that information for later use.
Articles 33 and 34 state that it is the controller’s responsibility to communicate the nature and scope of the breach in a timely fashion. For purposes of Article 33, which pertains to notification of a personal data breach to the supervisory authority, notification is to be made “without undue delay” and, where possible, within a 72-hour timeframe. The third paragraph of Article 33 states that a regulatory disclosure must include the nature of the data, the number of impacted individuals, an approximation of the number of records and any measures taken to both mitigate the impact of the data accessed and prevent future occurrences. For purposes of Article 34, notification to the individual (the “data subject”) should be made “without undue delay” in situations where the data breach is “likely to result in a high risk to the rights and freedoms” of the individual. Paragraph two of Article 34 also states that such disclosure to users must be presented in clear and plain language.
User Disclosure
Given the requirements of GDPR, it would seem that Timehop met its disclosure obligations. The company made its user disclosure under Article 34 in blog form, stating that the breach was first discovered at 4 p.m. on July 4 and was designated as a breach by its engineering team at 12:30 p.m. on July 5. This public disclosure occurred on July 9, approximately four days following the event. In its initial public disclosure, Timehop stated the number of impacted users and explained that it had invalidated the access tokens for social media sites and that users would need to re-authenticate access for those sites.
Timehop also provided guidance for how users could protect their phone numbers from being inappropriately used. To mitigate the potential for cached user access, all users were proactively logged out of the application. Users were provided with “next steps” and FAQs as well as reassurances about the nature of the data collected and its purpose. Timehop took the additional step of publishing its database schema to reassure even the most technical of users about what data was accessible to the malicious actors.
Regulatory Disclosure
A forensic investigation revealed that the breach followed a classic infiltration model. Timehop disclosed that the credentials for an administrative user were compromised in December. That account was used to create a new administrative account that was accessed multiple times over a six-month period. During this time, malicious actors evaluated which assets were best to compromise. Ultimately, they decided that extracting the user database during a major holiday in the United States was most opportune since any abnormal data activity would likely go unnoticed or be dismissed as the result of routine maintenance. The net result was a data exfiltration event lasting more than two hours on the Fourth of July.
During the investigation, Timehop’s engineering team identified the attack model (the compromise of a user account), and a potential mitigation action (the implementation of multi-factor authentication on all administrative accounts). Within three hours of multi-factor authentication being implemented, Timehop notified the relevant regulators and started the cyber incident response process.
Transparency is Key
The level of transparency provided by Timehop offers valuable security lessons for other companies. Timehop prioritized the rights and interests of its users and, by extension, the security community at large, stating that its “communications should be as open as possible without threatening security or compromising the investigation.” From these experiences, we now have an instructive template for meeting GDPR breach disclosure obligations:
- Continuous monitoring for abnormal situations in production is paramount—you cannot address what you do not measure.
- Assume a breach is in process unless proven otherwise—delays give attackers opportunity.
- If a breach is confirmed, assume you have obligations for disclosure as a controller.
- Following regulatory disclosures under Article 33, disclose the breach to the public and provide clear and actionable information for your users.
- Do not worry about getting the public disclosure perfect—it can always be updated with new information as your investigation continues. Transparency breeds trust and, in the face of a damaging event like a breach, you should take the opportunity to rebuild that trust from the outset.
The 2018 Cost of a Data Breach Study from IBM and the Ponemon Institute found that U.S.-based organizations take an average of 253 days to identify and contain a breach. For Timehop to be able to identify, contain and disclose a breach in a matter of days is commendable. Moreover, the company demonstrated that, while providing disclosure under GDPR may be painful, it is doable even when the full extent of the breach has yet to be determined. Rebuilding a brand damaged by a breach can be difficult, but by foregoing the natural tendency of organizations to withhold bad news, Timehop put itself in the best position to move forward.