Evernote data breach: lessons to be learned
A month on, Davey Winder analyses what others can learn from the Evernote data breach...


Five lessons to learn from the Evernote experience
Mark Sparshott, a director at Proofpoint, points out that companies not only have a legal duty to prevent breaches but also to disclose them to affected customers and partners, as well as increasingly to regulators such as the ICO within a reasonable time.
"In Europe the proposed new EU General Data Protection Regulation will make these responsibilities and reasonable time frames more explicit for companies," Sparshott explains.
Clearly there is the responsibility to protect the customers' interests, but the response from Evernote probably caused more anxiety than anything else.
Not disclosing breaches or being slow to disclose is no longer an option. As evidenced by the Evernote response, it's how that disclosure is handled that's the real issue.
"This type of document is an example of the cross-departmental authorship that must be well coordinated and accurate," says Tim TK Keanini, CRO at nCircle. "Legal, Marketing, and the IT staff all have to get it right and without some practice, something awkward like this is produced."
Lesson 1: Practice makes perfect, so have a plan and act upon it
"My advice is that each quarter, set a cross-departmental scenario where key people in departments play a role and act/document what they would do if some even were to occur. They include users accounts stolen, source code stolen, interruption of services," Keanini says.
"We have mandatory fire drills. It is about time we have mandatory internet security drills. Make as many mistakes as you can in practice so that when it is game day, you can play like a pro."
Calum MacLeod, an evangelist at Venafi, admits that ultimately there is no good way to deliver bad news but insists that erring on the side of caution could be an initial lesson to be learned from the way Evernote handled its response.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"Clearly there is the responsibility to protect the customers' interests, but the response from Evernote probably caused more anxiety than anything else," MacLeod told IT Pro.
"What you have is a calamitous chain of events starting with the admission that only the passwords were being encrypted. In other words, Evernote was admitting that it either didn't understand the value of the data they were holding, or didn't consider it important enough to encrypt."
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolen
Capita told the pension provider to “work on the assumption” that data had been stolen
By Ross Kelly
-
Gumtree site code made personal data of users and sellers publicly accessible
News Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
By Connor Jones
-
Pizza chain exposed 100,000 employees' Social Security numbers
News Former and current staff at California Pizza Kitchen potentially burned by hackers
By Danny Bradbury
-
83% of critical infrastructure companies have experienced breaches in the last three years
News Survey finds security practices are weak if not non-existent in critical firms
By Rene Millman
-
Identity Automation launches credential breach monitoring service
News New monitoring solution adds to the firm’s flagship RapidIdentity platform
By Praharsha Anand
-
Neiman Marcus data breach hits 4.6 million customers
News The breach took place last year, but details have only now come to light
By Rene Millman
-
Indiana notifies 750,000 after COVID-19 tracing data accessed
News The state is following up to ensure no information was transferred to bad actors
By Rene Millman
-
Pearson fined $1 million for downplaying severity of 2018 breach
News The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
By Rene Millman