October 26, 2020

Enhancing the Security of Data Breach Notifications and Settlement Notices

[This post was jointly written by Ryan Amos, Mihir Kshirsagar, Ed Felten, and Arvind Narayanan.]

We couldn’t help noticing that the recent Yahoo and Equifax data breach settlement notifications look a lot like phishing emails. The notifications make it hard for users to distinguish real settlement notifications from scams. For example, they direct users to URLs on unfamiliar domains that are not clearly owned by the company that was breached nor any other trusted entity. Practices like this lower the bar for scammers to create fake phishing emails, potentially victimizing users twice. To illustrate the severity of this problem, Equifax mixed up domain names and posted a link to a phishing website to their Twitter account. Our discussion paper presents two recommendations to stakeholders to address this issue.

First, we recommend creating a centralized database of settlements and breaches, with an authoritative URL for each one, so that users have a way to verify the notices distributed. Such a database has precedent in the Consumer Product Safety Commission (CPSC) consumer recall list. When users receive notice of a data breach, this database would serve as a reliable authority to verify the information included in the notice. A centralized database has additional value outside the data breach context as courts and government agencies increasingly turn to electronic notices to inform the public, and scammers (predictably) respond by creating false notices.

Second, we recommend that no settlement or breach notice include a URL to a new domain. Instead, such notices should include a URL to a page on a trusted, recognizable domain, such as a government-run domain or the breached party’s domain. That page, in turn, can redirect users to a dedicated domain for breach information, if desired. This helps users avoid phishing by allowing them to safely ignore links to unrecognized domains. After the settlement period is over, any redirections should be automatically removed to avoid abandoned domains from being reused by scammers.

Comments

  1. Ed,

    Call me a cynic, but you do realize that most breach notices do not want consumers to actually respond right? That is of course they are going to make the notices look like scams, because they save money if no on actually bothers to take them up on the offers of “free credit monitoring” (which is usually the only thing they bother to offer after such a breach).

    Indeed, with the Equifax breach the website they setup specifically asked people for their PII before even telling them if they might have been affected. In other words Equifax probably was hacked; but the “remedy” was designed specifically so Equifax could profit off of even more data collection. But then Equifax is a credit data collection agency in the first place so they weren’t going to monitor everyone’s credit for free; hence they had to find another way to profit from the breach.

    Whereas other companies simply don’t want to pay out money when they have been breached, much better to send a notice that appears to be a scam and thus get few responses; but then they can legally claim they “did their duty to notify affected consumers.”