Public Relations (PR) is a key part of security incident response. You need to keep your partners, customers, and potential partners and customers (the public and press) informed of what is going on... at least at some level.
Last week, several online news sites and forums broke a story about NCSoft having some serious problems with its master account which may have been causing a large number of incidents of account theft and, disturbingly, people logging in and finding themselves in control of some other customer's account.
I have been following these stories... the scenario did not make too much sense (logging into OTHER people's accounts?!?!?!) and I wanted to wait for the dust to settle.
It hasn't.
Instead, there seems to be a growing tide of stories about some sort of pretty serious security problem at NCSoft with no systematic response from the company.
Messages on community forums don't count.
At this point, it looks like the story is getting away from NCSoft. While the coverage has been restricted so far to online games news and community sites, there is a potential for the news to cross over to the mainstream press.
Also, depending on the nature of the problem, NCSoft may need to notify customers under California (and other) data disclosure laws if personal information has been compromised (something the company faced in Korea several years ago).
We will see if NCSoft moves to get ahead of its perception problem in the next couple of days... and if they ever disclose anything about what the underlying security problem is or was.
Last week, several online news sites and forums broke a story about NCSoft having some serious problems with its master account which may have been causing a large number of incidents of account theft and, disturbingly, people logging in and finding themselves in control of some other customer's account.
I have been following these stories... the scenario did not make too much sense (logging into OTHER people's accounts?!?!?!) and I wanted to wait for the dust to settle.
It hasn't.
Instead, there seems to be a growing tide of stories about some sort of pretty serious security problem at NCSoft with no systematic response from the company.
Messages on community forums don't count.
At this point, it looks like the story is getting away from NCSoft. While the coverage has been restricted so far to online games news and community sites, there is a potential for the news to cross over to the mainstream press.
Also, depending on the nature of the problem, NCSoft may need to notify customers under California (and other) data disclosure laws if personal information has been compromised (something the company faced in Korea several years ago).
We will see if NCSoft moves to get ahead of its perception problem in the next couple of days... and if they ever disclose anything about what the underlying security problem is or was.
