One day in the fall of 2014, when I was still helping run a startup I co-founded (not the one I’m working for now), a client forwarded me an email he thought was suspicious.
The email looked a lot like something my company would send. It linked to a website that looked a lot like ours that offered a great deal on the same service we provided. The site’s URL was almost identical to ours, too.
Right away I had a bad feeling, but my first reaction was to tell myself it was just a competitor that had somehow gotten the email of a single client.
Not a big deal.
Then another client forwarded the same email. And another, and another.
Pretty quickly it became clear that someone had gotten a list of our clients, and was sending them emails to try and trick them into paying the wrong company for our service.
I was angry and worried. Who was doing this? How had they gotten our clients’ information? How much did they have?
Ultimately, I think the way we reacted was mostly good, but we did make a few key mistakes. I hope that if you’re ever in this situation, my story will help you respond better.
First response: What we did right
The first thing we did was communicate with our clients. We sent an email outlining what we knew so far, warning them not to click on links in any emails they’d received from the bogus company, and to forward anything suspicious to us.
We assured them we were looking into what happened and would be transparent.
Next, we started doing some research. We combed through emails our clients forwarded to us, and asked our IT person to check our site and see if there’d been a breach. We also started researching the source of the emails.
IT couldn’t find a breach, but the emails showed a pattern. All of them were clients whose information had once been stored in a web application we no longer used. We were also getting emails sent to test accounts that only existed in the old application.
The signs pointed to the old web app as the data breach. We quickly updated our clients, explaining who was affected, why, and what data could have been compromised.
We contacted the old web app service, told them what happened, and asked them to please remove all of our legacy data from their systems.
We also figured out which bulk email service the hacker used to send the emails, and reported the situation to them. Within a few hours, we got a response that the matter had been investigated and that the sender was now barred from using that service.
This helped a lot. Besides stopping them from sending more emails from that service, it killed the links in emails they’d already sent, so clicking them sent our clients nowhere. Finally, we took steps to harden security at our company.
So far, so good.
Getting mad about it: Where I went wrong
I was mad about what had happened.
Telling clients that their information hadn’t been secure with us embarrassed me. I had to waste messages to our hard-won email marketing list on explaining this situation, rather than our service.
And it worried me that it’d hurt our small, cash-strapped startup.
Not only that, I was already extremely busy. It made me angry that time I could have been spending on lots of other things was getting sucked up by this.
So, alongside everything else, I started researching the person responsible for sending the emails.
It didn’t take long to figure out who it was and get a Skype account to contact. I tried calling, but the person refused to answer, so I ended up having a Skype chat with him. I told him what we knew, promised that we would report him to whatever legal entity had jurisdiction over this (I never found anyone in law enforcement who cared to do anything) and told him we’d already had him kicked off one email service, and would continue to do this with any others we found him using.
He claimed he’d never hacked our system, and had purchased the emails as leads elsewhere, with no knowledge that they’d been stolen from our company. It was almost believable, but how had they known to build a site so similar to ours, with a similar URL and emails?
I called him a liar and a few other choice words.
I don’t know what I was expecting from this. At best, I only let him know that we’d discovered his scheme and gave him an opportunity to thwart our efforts to fix the situation. At worst, I may have angered someone who could have done some serious damage to my business.
For months afterward I was paranoid that my company would be attacked in some way. Luckily, my angry confrontation didn’t lead to any further problems.
He sent a few more emails to our clients, and each time we were able to get them kicked off of the email service they used. Eventually, it stopped.
What Yoda was trying to tell me all along
If you ever find yourself in a similar situation, I advise communicating with your clients immediately. I don’t think we lost one client as a result of the hack, and I think a big part of our success there was transparency.
Also, research the situation and do everything you can to figure out how and why it happened so that you can mitigate further damage. Part of the reason we were successfully able to get the hacker kicked off bulk email services is that we were able to tell providers exactly what email addresses had been stolen. They were able to compare this to the list the hacker uploaded, which bolstered our story.
Remember that just because you’ve stopped using a particular web-based tool doesn’t mean you and your client’s info doesn’t still reside there. Talk to services you’ve worked with in the past, find out what’s happened with your old data, and if it’s still there, get it deleted.
Finally, resist the temptation to contact the people responsible. Report them to anyone who might be able to help you, be transparent with your customers, and mitigate the damage.
Let go of your anger. As a famous Jedi master once said, it’s the path to the dark side.