Nicholas Zahansky August 3, 2022 In February 2020, Slickwraps, a manufacturer of vinyl skins for phones and tablets suffered a major data breach. In January of 2020 a Cybersecurity researcher who goes by the name Lynx had discovered major security flaws in Slickwraps website. They were able to gain full access of databases that contained emails and hashed passwords of more than 370,000 customers. They were also able to access customer uploaded images and employee resumes. Lynx attempted to contact the company about the serious vulnerabilities he had discovered multiple times and through multiple channels. However, all of his messages were being blocked and ignored. With the lack of acceptance from Slickwrap, Lynx decided to make the vulnerabilities he discovered in Slickwraps site public by posting on medium. Despite the information being public the company continued to ignore the vulnerabilities. Shortly after the post was made public, a second hacker used the exploit to send a mass email to 370,000 of Slickwraps customers indicating that the site had been breached and their information was compromised (Abrams, 2020). Slickwraps had multiple chances to do the right thing. However, they made the decision on multiple occasions to ignore the messages that would help them improve their security and protect their customers. While it is unclear what discussions were happening internally regarding the vulnerabilities, they take the unethicality further by publicly lying about when they became aware of the vulnerabilities despite it being public information much earlier. The actual impact of the breach was somewhat minor as the motives for both hackers who exploited the system were really only to correct the vulnerabilities. However, the potential impact was far greater considering bad actors might not have even made the organization aware of the breach. They would have likely just absconded with the data and sold it on the dark web. The decisions of the organization to ignore the warnings was clearly the wrong choice. The organization should have understood the potential impact a breach could have on their customers and taken the necessary remediations to correct it. Even if the organization did not take the site down temporarily until they implemented fixes, they could have at least acknowledged the information the researcher was giving them and attempted to fix it. It should go without saying that if a researcher contacts you about vulnerabilities in your system, it is likely a good idea to at the very least investigate the claims because the bad actor’s wont. Such a blatant disregard for security is a rare occurrence. However, it should send a message to those with this attitude that it will not go unnoticed, and they will be breached causing their company losses in revenue and trust.
Abrams, L. (2020, February 21). SLICKWRAPS data breach exposes financial and customer info. BleepingComputer. Retrieved July 20, 2022, from https://www.bleepingcomputer.com/news/security/slickwraps-data-breach-exposes-financial-and-customer-info/