Over the weekend I was hacked.
Not all of my accounts, and I have very different and secure passwords for my important things like banking, but my Twitter account for the space of a few hours started telling people how I had found the job of their dreams and all they needed to do was to click on a link. I have no idea how it happened and fixed it asap, but not before dozens of DMs had been sent out to people I would hate to be spamming.
Was this my fault? No. My password was reasonably secure with numbers and letters forming it, and I hadn’t been giving access to any old website willy nilly. However, did it affect me? Yes. I felt a burning need to message everyone who had received spam under my name and apologise, despite the fact that this would both imply it had indeed been my fault and would probably constitute more to my spam count.
Thankfully the link being sent out was relatively harmless (i.e. a link to a supposed job opportunity rather than anything x-rated) and was picked up on within a couple of hours of it happening on a Sunday morning, but it did make me consider the implications of a bigger hack on a council controlled account. What might the implications be? Who would respond? And what would they say?
There are many different severities of hacking incidents and people far smarter than I have spoken about this in detail, especially around the technical side of things. The arguments over whether using a 12 or 15 character cryptographic hash function to generate a salted password is enough is beyond me – I barely understand that very sentence, nor know whether it is correct – but the issue of the more human side of interventions is something I do understand and can grasp with both hands.
In my eyes, much of the implications of being hacked in the same way I was are managed by the immediate response of those responsible for the account in question. I don’t believe that a hacked account results in a loss of trust in an organisation (unless of course that organisation sold anti-hacking software), nor do I believe that any reputational damage is irreparable. It does however require swift and decisive action to be taken if impacts are to be managed.
There is no real way to undo the fact that an account was hacked (though obviously there are a number of preventative measures), so it’s no use trying to hide it by deleting things from your outbox. If anything, I’d say it’s more useful to record who was sent what and when in order to build up a digital paper trail if needed in the future.
In my situation, as soon as I found out about the hack I jumped straight onto Twitter and changed my password. Sounds simple enough, but it would be easy to skip this step in order to jump into damage and message control without plugging the flow at its source. My old password was dumped, with a new even more secure (hopefully) password added. This would be the first thing to do on the list of anyone after discovering a hack.
Next would be some notification and investigation. I'm not talking about a huge review here, but a message to whoever was ultimately responsible for the account so they were involved in the decision making process from then on would be a start. As for investigation, finding out what was sent to whom and whether it was public or private would go some way to understanding the scope of the problem.
If public, a deletion of the offending posts is worth doing (after recording them of course). This prevents them from spreading wider and potentially affecting other accounts.
This next step may be a point of difference between some, but I would say a public announcement of the hack is in order. Opponents to this advice might say that this is highlighting the problem and attracting unnecessary attention to it; if things are deleted then perhaps most people won’t notice. However, odds are that someone will indeed have noticed, and by not saying anything about it you are not letting them know that it was indeed a hack and not something posted up deliberately. A clear statement outlining the situation, the extent of the issue and what you have done/will do to rectify it will reassure those who noticed it as well as those who didn't.
This all of course assumes that the person(s) doing the hacking are entirely unknown to the organisation, and that it is a genuine hack rather than a disgruntled employee venting their digital spleen or mistakenly posting something damaging up on an official account. Those incidents need to be dealt with as well, though using somewhat different tactics as was done by Walsall Council some time ago after just such an incident. They quickly identified the issue and dealt with it without fuss or defensiveness, and as a result received practically no negative press.
At the end of the day, no-one is 100% protected against the most determined of hackers. Even major corporations and the most secure government systems get hacked from time to time, but it is important that personally and professionally we do what we can to limit the risk. Just as a locked door and closed windows can still be broken into, the idea is that it deters the casual burglar; the same goes with digital security.
So where does this leave us? For me it left me with a longer and more complicated password to remember and a nagging feeling that I should personally apologise in person to everyone who suffered at my zombie account’s hands. For organisations who go through the same it could leave them with a group of followers who actually appreciate that when things go wrong Council staff will work quickly and efficiently to put them right.
And it might hopefully leave a few people with plans to think through how they might respond should this happen to them.