There seems to be a sea-change underway in the willingness of companies to admit when they have been the victims of cyber attacks. More have been coming forward, even when they appear to have no legal obligation. But the timing and nature of the disclosures differs greatly.
Take Microsoft’s apparent admission that it has succumbed to the same attack that has hit several other big tech companies. Compared even with Apple, traditionally the tech industry’s most secretive company, its disclosure was both late and light on detail.
In fact, “disclosure” almost feels like too strong a word for the statement that Microsoft put out on Friday afternoon, traditionally a time for burying news you don’t want to see widely reported in the media. Take this rather startling opening line:
As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion.
Not only does Microsoft hide behind the troubles of its rivals, it doesn’t even admit the nature of the attack to which it has succumbed. Does “similar” mean “same”? A spokesperson says no further details are forthcoming.
Facebook, by contrast, gave an admirably detailed account of how the computers of some of its employees were compromised after visiting an online forum for mobile app developers. The malware took advantage of a flaw in Java: after Facebook reported the problem, Oracle brought forward a scheduled series of patches for Java by more than two weeks.
After a report by Reuters, Apple also said that malware spread through “a website for software developers” had taken advantage of “a vulnerability for the Java plug-in for browsers” to hit some of its employees’ machines.
And Microsoft? While not disclosing what actually happened, it didn’t miss a second opportunity to take a jab at a rival, highlighting the fact that Macs were among the machines infected:
During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations.
A further difference concerns timing. Twitter was the first to own up at the start of this month, though it also appears to have been the only one of the companies whose users were affected by the attack, with up to 250,000 accounts at risk. Earlier this week Microsoft was still refusing to respond to questions on the subject, before belatedly putting out a statement with this vague explanation:
Consistent with our security response practices, we chose not to make a statement during the initial information gathering process.
So should customers be worried by the vulnerabilities that have been exposed? It’s hard to tell. Microsoft concludes with a line that makes this all sound like business as usual. It’s clearly meant to be reassuring – but when you stop to think about it, it doesn’t offer much reassurance at all:
This type of cyberattack is no surprise to Microsoft and other companies that must grapple with determined and persistent adversaries.
Still, at least there is no evidence that customer data was compromised. This round of hacks will go down as a warning shot. It will be interesting to see how the disclosures change the next time around – particularly if the outcome is less benign.
Richard Waters
Chris Nuttall
Maija Palmer
Robin Kwong
Tim Bradshaw