After threatening me with legal action, Keepnet Labs finally issues statement over data breach

████ me, could they have taken any longer?

Graham Cluley @gcluley

Keepnet Labs finally issues statement over data breach

UK security company Keepnet Labs has publicly confirmed that a database it had collated containing more than five billion records from past data breaches was “briefly exposed” on the internet.

If you think you’ve heard about this before, you’re right.

I first reported on the security breach back in March, following the initial discovery of the exposed data – which could be accessed without a password or any authentication – by security researcher Bob Diachenko.

Now, if I was a security firm which found itself embroiled in an embarrassing breach like this I think I would be keen to be transparent about what had occurred, and share what I had done to ensure that similar problems did not occur again.

Honesty, after all, is the best policy – and by apologising and behaving openly you can actually build trust inside this crazy industry of ours.

But Keepnet Labs didn’t do that. Instead, it contacted media outlets requesting that their name be removed from the news reports.

It even contacted people who had simply been quoted in the news reports (individuals who didn’t even name Keepnet Labs in the quote they offered journalists) and threatened them with legal action unless they somehow withdrew their comment.

Crazy stuff.

I was one of the blogs that Keepnet Labs contacted.

But as far as I could see, I hadn’t made any mistakes in my article.

Email Sign up to our newsletterSign up to Graham Cluley’s newsletter - "GCHQ"
Security news, advice, and tips.

I gave Keepnet Labs multiple opportunities to tell me what was incorrect in my article, or to offer me a public statement that I could include in the article. I told them I was keen to present the facts accurately.

Here’s part of one email I sent Keepnet Labs:

I continue to offer you a right of reply on my website. I am happy to include an update on the existing article containing a statement from your company, refuting the claim (if you wish) and (if you wish) clarifying what actually happened. I’m sure this would be a big reassurance for your customers and potential future customers.

I could quote from our email exchanges – indeed I could have done this weeks ago – if you are uncomfortable crafting a formal statement, but I’m not keen on quoting private correspondence without the permission of the other party.

Do please let me know how you would like to proceed so we can close this matter as quickly as possible. I’m confident that a brief statement from KeepNet Labs republished on my site could resolve this issue by the end of the day!

But Keepnet Labs didn’t want to offer a statement, or talk publicly about what happened.

Instead, earlier this month, Keepnet Labs threatened me with legal action for publishing an article naming them in relation to the security breach, and demanded I removed their name from the article.

The letter from Keepnet Labs's law firm
The letter from Keepnet Labs’s law firm.

One of the oddities of this letter is that they say the offending statement is:

“Keepnet Labs Breached Customer Data or 5B+ records”

However, these are words that never appeared in my article. To be clear (and I’m sure you could use the Wayback machine if you wanted to check), at no point did I claim that Keepnet Labs customers had been impacted by the security breach.

Anyway, after weeks of failing to get any co-operation from Keepnet Labs about what actually happened, and unwilling to enter a time-wasting legal tussle, I decided to remove their name from my article.

I announced on Twitter that the article had been updated and why, although I was careful not to mention Keepnet Labs.

What’s news now is that Keepnet Labs – sorry, ███████ ████ – has issued a public statement about the security breach which occurred two months ago.

I suspect Keepnet Labs only issued its statement because of the dogged determination of Rob Scammell, deputy editor of Verdict, and the army of Twitter users who responded to my tweet by using their ingenuity to uncover who the company was that had gagged me.

In its newly-published public statement, Keepnet Labs says it “accepts full accountability for this incident” but blames it on an unnamed third-party service provider to which it had outsourced the database management.

Keepnet Labs is also keen to underline that none of its customer data was exposed. The exposed data was data collected from past security breaches.

Which is, of course, what I said in my article.

Just to be clear, and for the record, I welcome Keepnet Labs publishing a public statement about the data exposure. I think that’s a good thing they have done.

They should, of course, have done it back in March rather than waiting for June. Taking so long to make a statement and trying to get your name removed from news articles isn’t a good look. Especially for a security firm.

Security firms should be examples for all businesses on how to behave after a security breach. Transparency, disclosure of what went wrong, and what steps are being taken to ensure that something similar doesn’t happen again are key to building trust and confidence from customers and the rest of the industry.

Disclosures of failure can be painful, but they ultimately are less embarrassing and damaging than cover-ups. Most of us in the industry accept that accidents can happen, and mistakes can occur. We should own up to our mistakes in a prompt fashion and lead by example.

Keepnet Labs would have done well to publish its statement at the time the breach was disclosed and work with the news agencies and bloggers to give their side of the story rather than against them.

Keepnet Labs’s failure to to respond in a timely and transparent fashion, and their attempt to remove themselves from the story, made this a much bigger deal than it ever would have been otherwise.

To hear more about what happened, check out this episode of the “Smashing Security” podcast.

Smashing Security #182: 'Space Force, credit card fraud, and beep-ti-beep'

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

6 Replies to “After threatening me with legal action, Keepnet Labs finally issues statement over data breach”

  1. Only thing is, you caved to this company instead of checking that legally you were bullet proof. It doesn't really show anything but a lack of journalistic integrity and suggests you are little more than a reposter rather than a reporter. We aren't angry just disappointed.

    1. How is he supposed to check that he is legally bullet-proof without spending money that he doesn't want to spend? And how is this a lack of journalistic integrity? Or would you need to get your own suit in order to understand the niceties? Your comment just comes across as a poor attempt at a smear. Unless I misunderstood your offer to pay his legal fees?

    2. Am I the only one who feels sorry for this company?

      Yes they handled your callous indifference toward what is effectively a bullet to the head for their company imperfectly (just because personal gain was your motive it doesnt absolve you), but this is a far cry away from an actual breach.

      You've taken a small oversight by an engineer that had no potential to cause harm and decided to profit by it at the very real expense of the owners and employees of this company.

      You might as well go after archive.org for all the good you've done the world here.

      NB. I've nothing to do with the sec company mentioned in this article (or any in the industry for that matter), I just know exploitation when I see it and it's all the more sickening when dressed up as a public service.

      These things stick in people's minds Graham…

      I hope the company in question is afforded the chance to learn from their mistake, in a way that the majority of us have in then past because thankfully the gutter press wasnt going through our bins.

  2. Strange that people are attacking Graham's integrity and feeling sorry for a company that used legal harassment to avoid owning up to their mistake and even blamed him for saying something he did not say. Did you not read the whole part where Graham gave them multiple opportunities to correct the record and offered his site for their clarification or rebuttal? That is journalistic integrity in my book. And as far as backing down, I would say Graham's posting clearly shows that he stayed involved by identifying the poor manner in which the company handled the situation and had even offered them good advice on how to handle it. Instead KeepNet chose a different, confrontational approach. That was their choice and they deserve to be called out for it.

    1. "Instead KeepNet chose a different, confrontational approach. That was their choice and they deserve to be called out for it."

      I'm not surprised they took the route they did, frankly legal action sounds like a reactive move made probably on advice from a third party when the company was faced by an aggressor who was clearly (as per your comment) hell bent on tarring them with about the worst possible brush for any organization these days…a stain that it fundamentally did not deserve: whatever this was (nothing mostly) it wasnt a leak. There was no risk of harm, no potential victims, nothing.

      What would you do if approached by a journalist who had a tape of you engaged in conversation with a child at an airport, and as a result was accusing you of sexual assault on a minor? I expect this is not ballparks away what you've kindly done to KeepNet. 'Offering' an opportunity to make a statement is simply twisting the knife.

      I don't want to live in a world where this is acceptable, let alone considered to be anything but the world sort of bottom feeding. Thankfully I don't, even the most unsavoury news outlets didn't pick this up and run with it, and for good reason.

      Like so many sadistic Facebook trolls before you, you've managed to create a little bubble filled with equally damaged people telling you that what you're doing is okay, normal even.

      I'll leave this blog alone now, I've said my bit. I really don't have anything to do with KeepNet, they're probably all complete bastards but they didn't deserve to be targeted by an opportunist with no qualms about causing irreparable damage all based off a false premise maliciously arrived at and backed up by a sort of DDoS from goons on Twitter. At least with blackmail and extortion you get a choice, with Graham Cluely you just get shafted.

      I bet this comes back to bite you. Most people won't bother becoming outraged and feeling compelled to comment like me, they will just pop a little red dot next to the name Cluely in thick, permanent pen, reflect for a minute on the long way the google news algorithm has still to go and continue with their day.

      1. > Even the most unsavoury news outlets didn't pick this up and
        > run with it, and for good reason.

        I know you've decided to leave this blog now, and probably won't read this. But please allow me to interject for a second, with a minor correction.

        The news was initially covered by several security news outlets which initially mentioned Keepnet Labs and then – presumably having received similar pressure to that I received from the company – removed their name from their articles.

        These include, but are not limited to Security Affairs, IAPP, SC Magazine, CISO Magazine, and HackRead. Security Week also reported the story and has still not – to my knowledge – removed Keepnet's name. None of these articles mentioned me, and indeed some of them were probably written before my article. So I can’t claim any credit for what they wrote.

        In addition, The Register and Verdict have written articles about Keepnet's poor handling of the aftermath of the security breach, and how they attempted to wipe their name off the articles written about the breach.

        As far as I can tell I was targeted by Keepnet Labs’s lawyers because I kept asking them for an explanation as to what happened, rather than just removing their name without question. They did not want to give an explanation of what happened, or offer any kind of statement that I could publish.

        I’ll leave it to readers to decide for themselves why they were reluctant to give an explanation of what happened – it certainly seems very odd to me.

        I do think if Keepnet Labs had simply been transparent and explained what happened in the first place, there wouldn’t have been all this kerfuffle.

        As for the other points in your article, I’ll leave it to others to respond to if they wish… as I could be accused of being biased in my opinion of the author. :)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.